Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17188

SAML2 Auto-federation is not supported with Trees

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.0.1
    • None
    • authentication, SAML
    • Rank:
      1|i033fz:

    Description

      When User Profile=Dynamic and SAML2 auto-federation is enabled, and using the SAML2 module/chain, the newly provisioned user ID is either the auto-federation attribute or the NameID value (if useNameIDasUserID is enabled) depending on the SP configuration.

      However, when the SAML2 Node is used, there are 2 outcomes:

      • Account exists
      • No Account exists

      In the 2nd outcome, you can link it with the 'Provision Dynamic Account' node. This node will create a user under a random ID though (ignoring SAML2 config)

                      private String idNameAttribute = "uid";            
      ..
                      Set<String> idAttribute = attributes.get(idNameAttribute);
                      if (idAttribute != null && !idAttribute.isEmpty()) {
                          userId = idAttribute.iterator().next();
                      } else {
                          userId = UUID.randomUUID().toString();
                      } 

      The request is to enhance the  'Provision Dynamic Account' node to support auto-federation as it was possible with the SAML2 module/chain.

      We'd need to make SAML2 config and assertion available in the AccountProvider interface:

      https://stash.forgerock.org/projects/OPENAM/repos/am-external/browse/openam-authentication/openam-auth-common/src/main/java/org/forgerock/openam/authentication/modules/common/mapping/AccountProvider.java?at=refs%2Fheads%2Freleases%2F7.0.1

      Default implementation used by the 'Provision Dynamic Account': 

      https://stash.forgerock.org/projects/OPENAM/repos/am-external/browse/openam-authentication/openam-auth-common/src/main/java/org/forgerock/openam/authentication/modules/common/mapping/DefaultAccountProvider.java?at=refs%2Fheads%2Freleases%2F7.0.1 

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              anastasios.kampas Anastasios Kampas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: