Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16712

Importing SAML2 Metadata with both IDP and SP with cot ends up with duplicated extended metadata



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 6.5.2,,,, 6.5.3
    • 7.0.0, 6.5.4,
    • SAML
    • Rank:
    • AM Sustaining Sprint 79
    • 3
    • Yes
    • No
    • Yes and I used the same an in the description


      Bug description

      Important SAML2 metadata containing SPSSODescriptor and IDPSSODescriptor on the Configure SAML2 dashboard

      will cause issue later when accessing the SAML2 entity and the debug logs show

      Root cause:
      java.lang.IllegalStateException: Duplicate key [cot]
              at java.util.stream.Collectors.lambda$throwingMerger$0(Collectors.java:133)
              at java.util.HashMap.merge(HashMap.java:1254)
              at java.util.stream.Collectors.lambda$toMap$58(Collectors.java:1320)
              at java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
              at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
              at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
              at com.sun.identity.saml2.meta.SAML2MetaUtils.getAttributes(SAML2MetaUtils.java:222)
              at com.sun.identity.console.federation.model.SAMLv2ModelImpl.getExtendedServiceProviderAttributes(SAMLv2ModelImpl.java:938)
              at com.sun.identity.console.federation.SAMLv2SPAssertionContentViewBean.getExtendedValues(SAMLv2SPAssertionContentViewBean.java:241)
              at com.sun.identity.console.federation.SAMLv2SPAssertionContentViewBean.beginDisplay(SAMLv2SPAssertionContentViewBean.java:95)

      How to reproduce the issue

      1. Import the attached test.xml (or import an IDP proxy type metadata)
      2. Make sure there is a cot when importingh
      3. After import click to check on the entity.
      4. It is seen this throws error AMUncaughtException
      5. The root cause is that the extended metadata contains duplicate "cotlist" attribute
      Expected behaviour
      There is no issues with the SAML2 entity
      Current behaviour
      The extended metadata have duplicate causing the UI to fail

      Work around


      • Use ssoadm to import the metadata with an extended metadata
      • Goto the Import Entity... to import w/o cot and later assign COT (HOWEVER the extended metadata may still be invalid and hence it is best to provide or update the extended metadata)
      • Or try to change the broken SAML2 extended metadata thru ssoadm
      • Although this may be possible also to update the broken extended metadata (where there is multiple cotlist) by removing it, the REST call may need proper care (else it does not have validation checks on input see https://backstage.forgerock.com/knowledge/kb/article/a53668144 and also may not work with URL entityId unless ALLOW_ENCODED_STASH is set for Tomcat)

      Code analysis

      // Adding multiple cotlist if there metadata contains multiple types
      // of role (so it add 2 duplicate cotlist to the extended metadata

      So the entityConfig have <Attribute name="cotlist"> multiple times.

      This problem is a subset of OPENAM-13942 and solved there already when tested on AM7


          Issue Links



              chee-weng.chea C-Weng C
              chee-weng.chea C-Weng C
              0 Vote for this issue
              8 Start watching this issue