Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9425

WS-Federation active profile fails in subrealm

    Details

    • Sprint:
      AM Sustaining Sprint 30
    • Cases:
    • Support Ticket IDs:

      Description

      Set up WS-Federation active profile to work with Office 365 with WS-Federation entities in a sub-realm. Passive sign in flow works fine, but the active sign in flow fails with the following in the federation log:

      ERROR: Unable to get IDP Entity ID from metaAlias
      libWSFederation:07/13/2016 08:56:17:441 AM UTC: Thread[http-nio-8080-exec-9,5,main]: TransactionId[93b7843a-2513-4dbc-941a-8545eec78b56-832]
      WSFedServlet.doGet: Can't process action
      com.sun.identity.wsfederation.common.WSFederationException: Identity Provider ID is null.
      	at com.sun.identity.wsfederation.servlet.MexRequest.process(MexRequest.java:86)
      	at com.sun.identity.wsfederation.servlet.WSFederationServlet.doGet(WSFederationServlet.java:72)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      

      followed by...

      An error occurred while processing the Active Request
      org.forgerock.openam.wsfederation.common.ActiveRequestorException: Unable to authenticate end-user.
      	at org.forgerock.openam.wsfederation.common.ActiveRequestorException.newSenderException(ActiveRequestorException.java:56)
      	at org.forgerock.openam.saml2.plugins.DefaultWsFedAuthenticator.authenticate(DefaultWsFedAuthenticator.java:86)
      	at com.sun.identity.wsfederation.servlet.ActiveRequest.authenticateEndUser(ActiveRequest.java:284)
      	at com.sun.identity.wsfederation.servlet.ActiveRequest.process(ActiveRequest.java:151)
      	at com.sun.identity.wsfederation.servlet.WSFederationServlet.doPost(WSFederationServlet.java:104)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      

      With a subrealm called "employees", the active federation endpoint in azure is:

      https://idp.example.com:443/openam/WSFederationServlet/sts/metaAlias/employees/wsidp
      

      The metadata exchange URI is:

      https://idp.example.com:443/openam/WSFederationServlet/ws-trust/mex/metaAlias/employees/wsidp
      

      After discussion with Peter Major, it seems there is an easy work around, which is to use a DNS alias for the realm (extremely likely to be in in production anyway).

      UPDATE: Have not been able to get this to work using a DNS alias on a realm, ssoadm and the UI prevent the meta from being imported because the meta alias does not match the realm.

      According to Peter, the realm validation in AMLoginContext#processIndexType prevents the authentication from working in a subrealm

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major
                Reporter:
                simon.harding Simon Harding
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: