-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 13.5.0
-
Component/s: SAML
-
Labels:
When requesting encryption for the assertion within an IDP-Proxy scenario, the IdP Proxy tries to use the Name-ID formats listed in the Remote SP config, instead of the requested nameID format.
To reproduce the issue:
- Configure:
SP: sp.example.com:8080
IDP-Proxy: proxy.example.info:8080
IDP: idp.example.net:8080
- For all, configure the Name-ID format list as follows:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Request the assertion to be encrypted
Initiate SP Single Sign On: http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=proxy&NameIDFormat=transient
This will hang on the following URL: http://proxy.example.info:8080/openam/Consumer/metaAlias/spproxy?SAMLart=AAQAA...
And the Error in the Federation log will be:
libSAML2:12/03/2014 03:23:22:070 PM GMT: Thread[http-bio-48080-exec-1,5,main] AccountUtils.setAccountFederation: set fedinfo {sun-fm-saml2-nameid-info=[idpproxy|http://sp.example.com:8080/openam|QPfRQy...BwipEAyh|proxy|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|null|http://sp.example.com:8080/ope nam|DualRole|false], sun-fm-saml2-nameid-infokey=[idpproxy|http://sp.example.com:38080/openam|QPfRQy81+St3gTLY5W5ABwipEAyh]} userID = id=anonymous,ou=user,dc=openam,dc=forgerock,dc=org libPlugins:12/03/2014 03:23:22:079 PM GMT: Thread[http-bio-48080-exec-1,5,main] ERROR: IdRepoDataStoreProvider.setAttribute(): IdRepo exception Message:Permission denied on setting attributes for anonymous. at com.sun.identity.idm.plugins.internal.SpecialRepo.setAttributes(SpecialRepo.java:650) at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1706) at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:529) at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535) at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.setAttributes(IdRepoDataStoreProvider.java:245) at com.sun.identity.saml2.common.AccountUtils.setAccountFederation(AccountUtils.java:236) ...
Workaround: depending of the use case, you may re-order the list of Name-ID Formats for the remote SP; in our example keeping the transient format on top of the list for the Remote SP within OpenAM IDP-Proxy configuration was enough; it may not be possible for complex deployments.