Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9290

OpenAM should send a response to the SP in case of empty NameIdPolicy value in SAML Authn Request

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.2
    • Fix Version/s: 12.0.4, 13.5.1, 14.0.0
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 25, AM Sustaining Sprint 26, AM Sustaining Sprint 27
    • Support Ticket IDs:

      Description

      When OpenAM as IdP receives an authentication request with NameID Policy such as <samlp:NameIDPolicy/> it throws a HTTP Status 500 - The SAML Request is invalid. - The server encountered an internal error that prevented it from fulfilling this request. instead of sending response back to the SP.

      From the specs https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf -> 3.4.1.1 Element <NameIDPolicy>

      When this element is used, if the content is not understood by or acceptable to the identity provider, then a <Response> message element MUST be returned with an error <Status>, and MAY contain a secondlevel <StatusCode> of urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy. 
      If the Format value is omitted or set to urn:oasis:names:tc:SAML:2.0:nameidformat:unspecified, 
      then the identity provider is free to return any kind of identifier, subject to any additional constraints due to the content of this element or the policies of the identity provider or principal. 
      

      If the tag is omitted altogether, OpenAM correctly returns a successful assertion, but if the value is empty it throws an exception. I tested on 12.0.2 only, but expect it to affect 13 too.

      Steps to reproduce:

      Set up federation between a SP and a IdP with http://sp.example.com:38080/openam and http://idp.example.net:28080/openam
      Access the following URL:

      http://idp.example.net:28080/openam/SSORedirect/metaAlias/idp?SAMLRequest=rZRfb9owEMDfJ%2B07VHmHhBAyOEGlDDQNqVsRsD7szbEvq6XE9nxOx779nBTWVCKZVM2P9%2F9%2Bd%2Bclsao0kNXuUe3xZ43kbk5VqQhaxSqorQLNSBIoViGB43DIvtxBPI7AWO0012Xw%2Ft3NlbfdrAKKUfA84SLGaZHniWBFGudi%2FqFIJumCpYtZkrBkNp3MeoI8oCWp1SrwCfvyENW4VeSYct4umqSjKB3Fi%2BMkhmQKyex7j%2BPGdysVc238R%2BcMhKEUZownVpkSxwodxPNoHoXaoG8%2FPBzu9yikRe7CCh3LSsmocelJ8Elbji3bVVCwkrC3gx0jkk84bLY78%2F4olZDqx%2FBw8mcjgs%2FH426UWScLxl1P5IwIbcNhrRXVFdoD2ifJ8dv%2B7i8ZegHDdQXTLpiLW4cK9UG5fRYvmwWDdna2s3LDTbFLncHtv6tahp0U3awGvvrI281Ol5L%2FDl%2BrzleAop2bb8zh6f%2FdxKu31pVhVlKzfr6J3ulcw%2FeCsFvnuvSE9li8BeigGQfehPbiZlN%2FaSuaZfR3gOJomSKjrTvzvlbPBXE4wNjbXPTd78iL%2FwA%3D
      

      The decoded SAML Request looks like:

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                          ID="s2edcb4cd2e3fbb4daf62bd87f4169a69544a45315"
                          Version="2.0"
                          IssueInstant="2016-06-29T12:43:45Z"
                          Destination="http://idp.example.net:28080/openam/SSORedirect/metaAlias/idp"
                          ForceAuthn="false"
                          IsPassive="false"
                          ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                          AssertionConsumerServiceURL="http://sp.example.com:38080/openam/Consumer/metaAlias/sp"
                          >
          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.example.com:38080/openam</saml:Issuer>
          <samlp:NameIDPolicy/>
          <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                                       Comparison="exact"
                                       >
              <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
          </samlp:RequestedAuthnContext>
      </samlp:AuthnRequest>
      

      Observed behaviour:

      HTTP500 thrown and the debug Federation log will show:

      libSAML2:06/29/2016 02:08:22:010 PM BST: Thread[http-bio-28080-exec-12,5,main]
      ERROR: IDPSSOFederate.doSSOFederate: 
      com.sun.identity.saml2.common.SAML2Exception: No Attributes for this element.
              at com.sun.identity.saml2.protocol.impl.NameIDPolicyImpl.validateData(NameIDPolicyImpl.java:271)
              at com.sun.identity.saml2.protocol.impl.NameIDPolicyImpl.toXMLString(NameIDPolicyImpl.java:194)
              at com.sun.identity.saml2.protocol.impl.AuthnRequestImpl.toXMLString(AuthnRequestImpl.java:597)
              at com.sun.identity.saml2.protocol.impl.AuthnRequestImpl.toXMLString(AuthnRequestImpl.java:443)
              at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:303)
              at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:129)
              at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:125)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      

      Expected Behaviour:

      A response is sent back to the SP.

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              nathalie.hoet Nathalie Hoet
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: