Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5834

Changes since OPENAM-2274 to DefaultLibrarySPAccountMapper has meant that NameID can't be used in some cases using auto federation

    Details

    • Sprint:
      Sprint 81 - Sustaining
    • Support Ticket IDs:

      Description

      Changes since OPENAM-2274 to DefaultLibrarySPAccountMapper has meant that NameID can't be used for the userID in the case where the Assertion has no Attributes and in auto federation mode as a result of the getIdentity() method call.

      To reproduce:

      • Setup OpenAM as the SP
      • Enable Auto Federation (autofedEnabled true) on the SP
      • Set an Auto Federation Attribute (autofedAttribute) on the SP
      • Enable Use Name ID as User ID (useNameIDAsSPUserID true) on the SP
      • Have no Attributes delivered by the IDP in the Assertion

      Ends in a trace like the following in the Federation debug log (reduced to the key entries):

      libSAML2:04/14/2015 09:51:06:363 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      DefaultLibrarySPAccountMapper.getIdentity(Assertion): realm = / hostEntityID = idp.example.com
      libPlugins:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      IdRepoDataStoreProvider.getUserID : user not found
      libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      DefaultLibrarySPAccountMapper.getAutoFedUser: Assertion does not have attribute statements.
      libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      SPACSUtils.processResponse: process: userName =[null]
      libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      SPACSUtils.processResponse: process: remoteHostId = idp.example.com
      libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      SPACSUtils.processResponse: process: attrMap = null
      libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main]
      ERROR: spAssertionConsumer.jsp: SSO failed.
      com.sun.identity.saml2.common.SAML2Exception: No local user being mapped.
      	at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1256)
      

        Attachments

          Activity

            People

            • Assignee:
              markdr Mark de Reeper
              Reporter:
              markdr Mark de Reeper
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h 44m
                4h 44m