Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-71

SAML2 error handling in HTTP POST and Redirect bindings

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 9.5.5, 10.0.1, 10.1.0-Xpress, 11.0.0, 13.0.0, 13.5.0, 6.5.0, 7.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Support Ticket IDs:

      Description

      I think the error handling of the SAML2 HTTP POST and Redirect bindings does not
      conform to the rules set in the SAML2 bindings specification.

      In sections 3.4.6 and 3.5.6 of said specification, it is stated that:

      "HTTP interactions during the message exchange MUST NOT use HTTP error
      status codes to indicate failures in SAML processing, since the user
      agent is not a full party to the SAML protocol exchange."

      However, this is exactly what happens when an exception is thrown in the SAML2
      stack of OpenAM - an HTTP error is returned to the browser, and user interaction
      stops there instead of returning to the service provider.

      Last tested with OpenSSO 8.0, but reading the latest sources I conclude there
      has been no change w.r.t. the behaviour described above.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                patrick.peck patrick.peck
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: