Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5191

IdP proxy uses the NameID-Format list from the Remote SP when returning an encrypted assertion, instead of the NameID-Format returned by the remote IdP

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: SAML
    • Sprint:
      AM Sustaining Sprint 21, AM Sustaining Sprint 31
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      When requesting encryption for the assertion within an IDP-Proxy scenario, the IdP Proxy tries to use the Name-ID formats listed in the Remote SP config, instead of the requested nameID format.

      To reproduce the issue:

      • Configure:
        SP: sp.example.com:8080
        IDP-Proxy: proxy.example.info:8080
        IDP: idp.example.net:8080
      • For all, configure the Name-ID format list as follows:
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      urn:oasis:names:tc:SAML:2.0:nameid-format:transient
      
      • Request the assertion to be encrypted

      Initiate SP Single Sign On: http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=proxy&NameIDFormat=transient

      This will hang on the following URL: http://proxy.example.info:8080/openam/Consumer/metaAlias/spproxy?SAMLart=AAQAA...

      And the Error in the Federation log will be:

      libSAML2:12/03/2014 03:23:22:070 PM GMT: Thread[http-bio-48080-exec-1,5,main]
      AccountUtils.setAccountFederation:  set fedinfo {sun-fm-saml2-nameid-info=[idpproxy|http://sp.example.com:8080/openam|QPfRQy...BwipEAyh|proxy|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|null|http://sp.example.com:8080/ope
      nam|DualRole|false], sun-fm-saml2-nameid-infokey=[idpproxy|http://sp.example.com:38080/openam|QPfRQy81+St3gTLY5W5ABwipEAyh]} userID = id=anonymous,ou=user,dc=openam,dc=forgerock,dc=org
      libPlugins:12/03/2014 03:23:22:079 PM GMT: Thread[http-bio-48080-exec-1,5,main]
      ERROR: IdRepoDataStoreProvider.setAttribute(): IdRepo exception
      Message:Permission denied on setting attributes for anonymous.
      
              at com.sun.identity.idm.plugins.internal.SpecialRepo.setAttributes(SpecialRepo.java:650)
              at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1706)
              at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:529)
              at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
              at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.setAttributes(IdRepoDataStoreProvider.java:245)
              at com.sun.identity.saml2.common.AccountUtils.setAccountFederation(AccountUtils.java:236)
      ...
      

      Workaround: depending of the use case, you may re-order the list of Name-ID Formats for the remote SP; in our example keeping the transient format on top of the list for the Remote SP within OpenAM IDP-Proxy configuration was enough; it may not be possible for complex deployments.

        Attachments

          Activity

            People

            • Assignee:
              sfraser Sam Fraser
              Reporter:
              nathalie.hoet Nathalie Hoet
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h
                4h