Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17070

SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.0.0, 6.5.3, 7.0.1
    • 6.5.4, 7.1.0, 7.0.2
    • SAML
    • Rank:
      1|hzzb15:
    • AM Sustaining Sprint 80, AM Sustaining Sprint 81
    • 5
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      The configuration is using SAML2 in standalone mode where AM is set up as an idp proxy, and the service provider is a third party application.  When initiating SSO from the SP side, the RelayState is used as a parameter to direct the user to the desired location after successful authentication from the SAML2 flow.

      On AM 6.5.2.3, the Idp proxy was able to Post the RelayState back to the SP after authenticating on the IDP, however, on 6.5.3 the RelayState is no longer Posted back to the SP with the SAML response.

      This has been tested without the IDP proxy between two AM instances acting as SP and IDP, and the RelayState is working as intended (user lands on the url set in RelayState) without setting any 'validation services' and 'Relay State URL List' in the hosted providers.
       

      How to reproduce the issue

      Follow the steps provided in following KB:

      https://backstage.forgerock.com/knowledge/kb/article/a14745791

       

      Beware of the following bug which impacted set up.  Entities may not be added to CoT properly, use JATO-based console to remove and add entities to CoT on all hosted providers: https://bugster.forgerock.org/jira/browse/OPENAM-13942

       

      After completing set up, use similar example below to initiate SP SSO

       

      http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fproxy.example.info%3A8000%2Fopenam
      &RelayState=http%3A%2F%2Fsp.example.com%3A8080%2Fopenam%2FXUI%2F%23profile%2Fdetails
      

       

      check HAR to see that RelayState is not post back to SP along with SAML response

      Expected behaviour
      IDP proxy Posts the RelayState back to SP
      
      Current behaviour
      IDP proxy does not post RelayState back to SP
      

      Work around

      If AM is acting as hosted SP, then the RelayState url value could be set in the 'Default Relay State URL'

      This would redirect users to the url indicated if there are no relay state specified in the response.

      Realm > Applications > Federation > Entity Providers > [hosted SP name] > Assertion Processing > Default Relay State URL

        Attachments

          Activity

            People

            chee-weng.chea C-Weng C
            jason.yuen Jason Yuen
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: