Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4040

SSO failure between SPs in separate CoTs with same hosted IDP

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 12.0.0, 13.0.0, 13.5.0, 14.0.0
    • Fix Version/s: 13.5.3, 6.0.0.1, 6.5.0, 6.0.1, 5.5.2
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 51
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      To reproduce: Create 3 entities in the same realm: Hosted IDP, Remote SP1 and Remote SP2
      Create 2 CoTs:
      CoT1: IDP, SP1
      CoT2: IDP, SP2

      Test each CoT separately to check it works (clear browser in between).

      Test SSO between SP1 and SP2:
      Federate to SP2
      Federate to SP1

      In the Federation log you will see "Issuer in Request is not valid" warning.

      Workaround at this point is either:

      • put all the entities in the same CoT
        or
      • duplicate the IDP profile, create 2 separate entities IDP1 and IDP2 and two separate CoTs: CoT1: IDP1, SP1 and CoT2: IDP2, SP2

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sfraser Sam Fraser
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: