Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8971

currentGoto : null is received in XUI when a realm dns is being used for Federation and authentication is done via wdsso/kerberos auth module



    • Rank:
    • AM Sustaining Sprint 24, AM Sustaining Sprint 25, AM Sustaining Sprint 26, AM Sustaining Sprint 27, AM Sustaining Sprint 28, AM Sustaining Sprint 29, AM Sustaining Sprint 30, AM Sustaining Sprint 31, AM Sustaining Sprint 32
    • 3
    • 0
    • Future
    • None


      With XUI Federation IDP SAML Response not returned when WDSSO/Kerberos module is used for authentiction, the end user is redirected
      to the Auth modules "Succes login URL" instead.

      This only happens if XUI is enabled and only when using a realm that has been setup as a dns alias (actually
      using the dns alias for the saml setup).

      Steps to reproduce:

      on IDP OpenAM:

      A) Create a realm (mine was /wdsso)
      B) Set DataStore as AD (this will be needed for WDSSO/Kerberos setup)
      C) Verify you see Users in the Subjects tab of that realm and they are from the Windows AD box.
      D) Setup as an DNS Realm (mine was wdsso.example.com)
      E) Login to AM as dns realm (http://wdsso.example.com:1300/openam)
      F) Create a Federation with an SP (mine was http://host1.example.com:1202/openam)
      G) Verify functionality of the Federation SP SSO Init (http://host1.example.com:1202/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/dnsSP&idpEntityID=dnsIDP)
      H) Once Federation is setup, setup WDSSO/Kerberos Auth module - mine is called wdsso
      I) Create Authentication chain and add wdsso auth module as "sufficient" my chain is called wdsso and set that as the
      authentication module that is the default for users of that realm. Set the "Login Success URL" to http://www.google.com
      J) Test WDSSO setup, from Windows machine that is logged into the AD Domain that AD/Kereberos is on, go to this
      URL: http://host1.example.com:1300/openam/XUI/#login/wdsso
      K) If you get your profile page, WDSSO/Kerberos is working fine. If you don't, troubleshoot wdsso setup before moving on
      L) Now initiate another SP iniated SSO to that realm, which is now using WDSSO/Kerberos for it's Authentication. I use
      M) I go to http://www.google.com

      I am expecting to get sent back to my SP and sign in and then get a "Single Sign On Succeeded" response if the SP is using OpenAM.

      If you do the above, on the top level domain, it works correctly and you get redirected back to the SP with the SAML Response.
      If you do the above at the realm level but do NOT use a DNS alias for your realm, the it works correctly and you get redirected back to the SP with the SAML response.

      If you turn off XUI and use UI, and do the above. It gives you an Authentication error, with this Stack Trace:
      Caused by: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String
        at com.sun.identity.saml2.common.SAML2Utils.getParameter(SAML2Utils.java:1370)
        at com.sun.identity.saml2.common.SAML2Utils.getRealm(SAML2Utils.java:1356)
        at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:93)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
        ... 72 more

      but if you apply a patch for this bug:
      SAML2 JSP pages making use of the SAML2Auditor are calling the SAML2Utils.getRealm with an incorrect Map structure

      then UI works fine using a DNS realm with Federation that uses WDSSO/Kerberos for auth module.

      Including ssotracer output (browser trace) and IDP's debug logs set to Message. I'm authenticating from my Windows box that has been logged in as "Administrator" as the user.

      Reviewing a 12.0.2 setup IS working with Federation, XUI, WDSSO/Kerberos and realm dns, this appears to happen with AM 13.

      AM 13 with XUI:

      amAuthUtils:05/24/2016 09:33:15:724 AM EDT: Thread[http-bio-443-exec-2,5,main]: TransactionId[f234d876-889c-46dc-b05f-a44e2abb1f8a-839]
      URL name : PostProcessLoginSuccessURL Value : Not set - null or empty string
      amAuth:05/24/2016 09:33:15:725 AM EDT: Thread[http-bio-443-exec-2,5,main]: TransactionId[f234d876-889c-46dc-b05f-a44e2abb1f8a-839]
      currentGoto : null

      in the 12.x XUI it does this

      AuthContextLocal:: Status : success
      amAuthUtils:05/24/2016 09:39:32:566 AM EDT: Thread[http-bio-443-exec-9,5,main]
      URL name : PostProcessLoginSuccessURL Value : Not set - null or empty string
      amAuth:05/24/2016 09:39:32:566 AM EDT: Thread[http-bio-443-exec-9,5,main]
      currentGoto : /openam/SSORedirect/metaAlias/intranet/idp1?ReqID=_a362f6ac55013955


        Issue Links



              peter.major Peter Major [X] (Inactive)
              david.bate David Bate
              1 Vote for this issue
              8 Start watching this issue



                Time Tracking

                  Original Estimate - 12h
                  Remaining Estimate - 12h
                  Time Spent - Not Specified
                  Not Specified