Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-2585

Restricted tokens should be valid across multiple profiles within the same group

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 9.5.5, 10.0.1, 10.1.0-Xpress
    • Fix Version/s: 9.5.6, 10.0.2, 11.0.0
    • Component/s: session
    • Labels:
      None
    • Rank:
      1|hzny8f:

      Description

      validateAndGetRestriction method in LdapSPValidator searches for the matching agent profile based on agentRootURL and populates this into the DNOrIPAddressListTokenRestriction.

      This has two problems:

      1) If you have the agentRootURL defined in the profile rather than the group you cannot have multiple agent profiles in a load balanced environment and have the restricted token validate successfully across the different agents. The agent profile DNs will be different and the restriction will fail.

      2) Currently since all agentRootURLs have to be in the group or in a shared agent profile then this can lead to management issues if there are a large number of agentRootURLs.

      The fix is to update LdapSPValidator so that it is group aware. The searchAgents method should be able to determine the DNs of all agent profiles within the group and populate the token restriction with all DNs. The token restriction would then be valid if it was presented to any of the agent profiles within the group

        Attachments

          Activity

            People

            Assignee:
            jonathan Jonathan Scudder
            Reporter:
            steve Steve Ferris
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: