Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5160

Fedlet support non-transient (persistent) NameID

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Expired
    • Affects Version/s: 11.0.0, 11.0.2
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Fedlet Java and .NET
    • Support Ticket IDs:

      Description

      There is a similar RFE opened for OpenIG due to overlap requirement: OpenIG-409

      This issue is being opened regarding customers who may want to use Fedlet for configurations that do not allow transient and demand on persistent for nameID:format. This issue is more important for OpenIG where OpenIG implements Fedlet and supports IDPs other than OpenAM, but the same holds true for OpenAM IDPs that choose not to implement Transient but want to enable Fedlets. For Fedlet's the notion of Persistent would need to be custom development for on the SP application and in the case of OpenIG, persistent may mean integration with some IDM system (which could be ForgeRock, but where OpenIG is the SP). Point is that the limitation of Transient only should be addressed.

      I have noted that for OpenAM this fix involves a fix to the fedletSSOInit.jsp and for OpenIG for the FederationServlet.java. Both have a section that is similar to this:
      list.add(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
      Changing that to default to NAMEID_TRANSIENT if a URL parameter request override is not present. If parameter in URL then add parameter's nameID format to the list instead.

      Once the SAML Authentication request is made and the IDP responds with Persistent, the next issue is that there exists no ID Mapper class. This issue can be resolved by user adding a custom account mapper class to the SAML metatdata and implementing that class.

      sp-extended.xml:
      <Attribute name="spAccountMapper"> <Value>com.foo.MyAccountMapper</Value>
      </Attribute>

      Because a return value of true for accountmapper is basically the same as an OpenAM IDP chosing ignore profile, then the logic of ignore persistent, but ability to request is accomplished.

      This is a very plausible use-case especially IDP is out of control of the SP and IDP demands persistent even though from the SP perspective, persistent is not needed.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                steven.jarosz Steven Jarosz
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: