Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-474

Dynamic User Creation not populating all available attributes onto newly created user


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Snapshot9.5, 9.5.3_RC1, 9.5.3, 9.5.4_RC1, 9.5.4, 9.5.5, 10.0.0-EA, 10.0.0, 10.0.1, 10.1.0-Xpress, 11.0.0, 11.0.1
    • Fix Version/s: 11.0.2, 12.0.0
    • Component/s: SAML
    • Environment:
      SLES11 SP1 x86_64 / Tomcat 6.0.30 / Java 1.6.0_23-b05 / OpenDJ 2.4.0
    • Support Ticket IDs:


      When running OpenAM as a SP and I turn on Dynamic User creation, the attributes provided and mapped are not written out to the User which is created in OpenAM. Under Federation Assertion Processing for my SP I have created an Attribute Map and set Auto Federation to enabled based on uid. The users which are created in OpenAM based on a claim from my IDP have the account name (uid), last name (sn) and full name (cn) all set to the same value - the UID value sent over by my IDP.

      When I toss debugging on Federation log shows that my claim is being interpreted properly:

      libSAML2:02/08/2011 08:34:58:272 PM MST: Thread[TP-Processor8,5,main] (most of the remaining timestamps removed for clarity)

      DefaultLibrarySPAccountMapper.getAutoFedUser: Search map:


      IdRepoDataStoreProvider.getUserID : user not found
      DefaultLibrarySPAccountMapper: dynamical user creation or ignore profile enabled : uid=[tim]
      SPACSUtils.processResponse: process: userName =[tim]
      SAML2Utils.getConfigAttributeMap: DefaultAttrMapper: relam=/, entity id=https://mySP.domain2/openam, role=SPRole
      SAML2MetaCache.getEntityConfig: cacheKey = ///https://mySP.domain2/openam, found = true
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: https://mySP.domain2/openam
      DefaultSPAttributeMapper.getAttr:hosted SP attribute map =

      {uid=uid, mail=mail, sn=sn, cn=cn, asn=employeeNumber, givenName=givenName}

      SPACSUtils.processResponse: process: remoteHostId = https://myIDP.domain1/simplesaml/saml2/idp/metadata.php
      SPACSUtils.processResponse: process: attrMap =

      {uid=[tim], mail=[dont@spam.me.please], sn=[Lastname], cn=[Tim Lastname], givenName=[Tim], employeeNumber=[123456789]}

      as I chased this down - I find that in SPACSUtils.java while in processResponse() it seems the actual user object is created within this snip:

      if (writeFedInfo) {

      { AccountUtils.setAccountFederation(info, userName); }

      catch (SAML2Exception se) {

      what I've done to get around this - is to add the following:

      AccountUtils.setAccountFederation(info, userName);
      + try

      { + SAML2Utils.getDataStoreProvider().setAttributes(userName, attrMap); + }

      catch (DataStoreProviderException ex)

      { + //deal with exception) + }

      } catch (SAML2Exception se) {

      after making this change - my user object is created with UID as agreed upon and all the mapped attributes are written out to the user object afterwards by the update.


          Issue Links



              • Assignee:
                peter.major Peter Major [X] (Inactive)
                crisallt crisallt
                QA Assignee:
                Kajetan Hemzaczek
              • Votes:
                6 Vote for this issue
                14 Start watching this issue


                • Created: