Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16669

IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 7.0.0, 6.5.3
    • 6.5.4, 7.1.0, 7.0.1
    • cdsso, core
    • IG using CDSSO filter against AM 7 with com.sun.identity.enableUniqueSSOTokenCookie=true
    • Rank:
      1|i01ujr:
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      When AM is setup with com.sun.identity.enableUniqueSSOTokenCookie=true, restricted SSO tokens are returned to IG via CDSSO JWT.

      When IG presents restricted SSO token for session validation to AM, the process breaks down duringĀ com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction#isSatisfied because the dn is empty.

      How to reproduce the issue

      SetĀ com.sun.identity.enableUniqueSSOTokenCookie=true in Server advanced properties and try to do a CDSSO round trip using IG and AM against an IG agent entry in AM.

      Work around

      Use a Java or Web agent in place of the IG agent for IG CDSSO/AmService definitions.

      Code analysis

      org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
                      if (isAgentActive(agentAttributes)) {
                          Set<String> agentAttributeValues = agentAttributes.get(LDAP_ATTR_NAME);
                          if (agentAttributeValues != null && !agentAttributeValues.isEmpty()) {
                              agentInfoList.add(new AgentInfo(
                                      IdentityUtils.getDN(agentIdentity),
                                      getAgentHostNames(agentAttributeValues),
                                      getAgentRootUrls(agentAttributeValues)));
                          }
                      }
      

      IG agent entry does not have a LDAP_ATTR_NAME (sunIdentityServerDeviceKeyValue) attribute so this loop never happens.

        Attachments

          Activity

            People

            markdr Mark de Reeper
            markdr Mark de Reeper
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: