Major Changes since OPENAM-2274 to DefaultLibrarySPAccountMapper has meant that NameID can't be used for the userID in the case where the Assertion has no Attributes and in auto federation mode as a result of the getIdentity() method call.
To reproduce:
- Setup OpenAM as the SP
- Enable Auto Federation (autofedEnabled true) on the SP
- Set an Auto Federation Attribute (autofedAttribute) on the SP
- Enable Use Name ID as User ID (useNameIDAsSPUserID true) on the SP
- Have no Attributes delivered by the IDP in the Assertion
Ends in a trace like the following in the Federation debug log (reduced to the key entries):
libSAML2:04/14/2015 09:51:06:363 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] DefaultLibrarySPAccountMapper.getIdentity(Assertion): realm = / hostEntityID = idp.example.com libPlugins:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] IdRepoDataStoreProvider.getUserID : user not found libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] DefaultLibrarySPAccountMapper.getAutoFedUser: Assertion does not have attribute statements. libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] SPACSUtils.processResponse: process: userName =[null] libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] SPACSUtils.processResponse: process: remoteHostId = idp.example.com libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] SPACSUtils.processResponse: process: attrMap = null libSAML2:04/14/2015 09:51:06:431 PM UTC: Thread[http-/159.127.13.14:9090-37,5,main] ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: No local user being mapped. at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1256)
