Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17231

The Scoping Value in the SAML request sent from IDP Proxy is not accepted by Azure AD

    XMLWordPrintable

    Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 5.5.2, 6.5.3
    • None
    • SAML
    • Rank:
      1|i035yf:

      Description

      issue background:

      In this SAML SSO flow, Customer have two IDPs: one is OpenAM and the other is AzureAD. To achieve this, Customer is using IDP Proxy Layer, which is also an OpenAM server to determine which IDP we need to send SAML request to.

       

      Business Case: SAML requests which are sent from Proxy Layer will have a parameter called Scoping Value. The parameter is the collection of the available IDPs in the IDP proxy and it is not accepted by Azure AD. The document from Azure AD says does not support Scopinv Value is:

      https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#scoping

       

      The method that Customer used to temporarily solve this issue is to customize the IDPProxyUtil.class in the openam-federation-library. Customer commented code from Line 412 to 418 so that no matter IDP Proxy is enabled the Scoping value will not be generated in the SAML request and we have confirmed that the original SAML SSO flow is not affected.

      if (proxyCount <= 0) {    scoping.setProxyCount(0); } else {    //since this is a remote SP configuration, we should    //decrement the proxycount by one    scoping.setProxyCount(proxyCount - 1); }

       

      RFE request:
      ForgeRock can improve this feature in AM product

        Attachments

          Activity

            People

            Unassigned Unassigned
            jobby.thomas Jobby Thomas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: