Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9663

Inconsistent format for AuthLevel attribute in an assertion in case of session upgrade scenario

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 13.0.0, 13.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Support Ticket IDs:

      Description

      When returning AuthLevel as attribute in an assertion, OpenAM (as IdP) sometimes returns a non-Integer number. This was observed in the context of session upgrade to a higher level of assurance.

      scenario can be reproduced with these steps

      • Create a SP: http://sp.example.com:38080/openam
      • Create a IdP: http://idp.example.net:28080/openam
      • Make HTTP-POST the default so you can see the SAML Response in SAML Tracer
      • Create a chain chain2 with an authentication module of auth level 2
      • In Idp > Assertion Content > Authentication Context select both Password and PasswordProtectedTransport; for password, select key: Service Value: chain2 Level: 2
      • In IdP > Assertion Processing > attribute Map insert authevel=AuthLevel
      • Initiate sp federation with:
        http://sp.example.com:38080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fidp.example.net%3A28080%2Fopenam&metaAlias=/sp&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        

      You should see in the assertion the following attribute:

      <saml:Attribute Name="authlevel">
                      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xsi:type="xs:string"
                                           >0</saml:AttributeValue>
                  </saml:Attribute>
      
      • Initiate sp federation again (don't clear the browser) with:
        http://sp.example.com:38080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fidp.example.net%3A28080%2Fopenam&metaAlias=/sp&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password
        

      Expected behaviour

      Should see in the assertion:

      <saml:Attribute Name="authlevel">
               <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xsi:type="xs:string"
                                           >2</saml:AttributeValue>
                  </saml:Attribute>
      

      Observed behaviour

      Returns the following in the assertion (with the realm in front of the AuthLevel value)

       <saml:Attribute Name="authlevel">
                      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xsi:type="xs:string"
                                           >/:2</saml:AttributeValue>
                  </saml:Attribute>
      

      The same error was observed in a subrealm.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: