Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16769

Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow



    • Yes
    • 0
    • No
    • None


      Bug description

      When executing a SAML flow within a tree that uses the SAML2 Authentication Node, if auto federation is enabled on an SP that is configured with User Profile:Dynamic, and the user cannot be found on the SP side, the SP hangs while 'Loading'.

      How to reproduce the issue

      1. Setup a SAML flow. Can use Pyforge to do this quickly (e.g. Auth_node tests)
      2. Create (or ensure exists) a tree that uses the SAML2 Auth Node (two examples in attachments)
      3. On Hosted SP, Set Authentication/Settings/UserProfile : Dynamic
      4. On Hosted IDP, update attribute mapper so that uid attribute is present in the assertion, e.g. map uid to uid
      5. On Hosted SP, enable auto federation and set attribute to uid (or whatever SAML attribute name you used in the mapping on the IDP side)
      6. On IDP side, create a user that does not exist on the SP
      7. Launch the flow by hitting the tree
      8. When redirected to IDP, log in as a user that exists on both ends (that can be resolved via their uid e.g. demo, or user.X if using PyForge)
      9. You should end up where you expect e.g. on the user profile page on SP
      10. Exit the flow
      11. Hit the tree again, this time logging in as the newly created user on the IDP end
      Expected behaviour
      Session on SP or Authentication Page on SP depending on tree configuration
      Current behaviour
      SP hangs with 'Loading' message

      Work around

      Do not have both autofederation and dynamic user profile - problem only appears when both are set. Or if they are both set, make sure the autofederation search can complete successfully (i.e. the user can be found on the SP side by whatever attribute was configured). 


        Issue Links



              apforrest Andrew Forrest
              alun.daley Alun Daley
              0 Vote for this issue
              7 Start watching this issue