[OPENAM-9719] session upgrade fails in combination with SAML-based SSO - ForgeRock JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 13.0.0, 13.5.0
Fix Version/s: 13.5.1, 14.0.0
Component/s: authentication, XUI
Labels:
Environment:

Hide
Mac OS X

java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

Apache Tomcat 8.0.54

OpenAM 13.5.0

OpenAM 13.5.0 Fedlet

Show
Mac OS X java version "1.8.0_31" Java(TM) SE Runtime Environment (build 1.8.0_31-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode) Apache Tomcat 8.0.54 OpenAM 13.5.0 OpenAM 13.5.0 Fedlet

Target Version/s:

13.5.1, 14.0.0
Rank:
1|hzs5xz:

Sprint:
AM Sustaining Sprint 28

Support Ticket IDs:

Verified Version/s:

13.5.1

Description

1) Create an AuthChain 'datastoreService' with 'datastore' as required module
2) Create and AuthChain 'twofactor' with 'datastore' and 'HOTP' as required modules
3) Adopt AuthContexts of the IdP to map 'PasswordProtectedTransport' AuthContextClassRef to service 'datastoreService' and level '1'.
4) Adopt AuthContexts of the IdP to map 'TimeSyncToken' to service 'twofactor' and level '2'.
5) Authenticate at OpenAM with default auth chain of the realm where the CoT was created
6) Run SP-initiated SSO with AuthContextClassRef 'TimeSyncToken' on the Fedlet sample app

After submitting the OTP for the 2nd auth-module of the two factor chain, XUI responds with error Required callback not found in JSON response

Performing the same session upgrade without the SAML flow works fine.
i.e.
1) Authenticate at OpenAM with default auth chain
2) Authenticate with params &authIndexType=service&authIntexType=twofactor

Comparing the HTTP POST requests for the 'HOTP2' stage between does not show a significant difference, see attached excerpts from network capture.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

saml-session-upgrade-submit-hotp2-stage.txt
5 kB
2016-09-20 4:12 PM
session-upgrade-submit-hotp2-stage.txt
5 kB
2016-09-20 4:12 PM

Issue Links

depends on

OPENAM-9597 Goto URL with multiple query string parameters incorrectly decoded

Resolved

is caused by

OPENAM-7539 Federation + SAML2 module + forceAuth leads to the page which wants to destroy the current IDP session

Resolved

is duplicated by

OPENAM-10582 ForceAuth=true causes ServerSide Scripted Auth To Fail If Already Authenticated

Resolved

is required by

OPENAM-10250 Classic UI Login fails to authenticate with ForceAuth

Resolved

Activity

People

Assignee:: Peter Major [X] (Inactive)

Reporter:: Bernhard Thalmayr

QA Assignee:: Nemanja Lukic

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2016-09-20 4:12 PM

Updated:: 2017-05-19 9:57 AM

Resolved:: 2016-09-27 8:22 PM

Time Tracking

Estimated:

Remaining:

Logged: