Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9957

SAML2 authenticationStep cookie does not get set if platform cookie domains list is empty

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: SAML
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 32
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      Setup OpenAM 13.5.0 SAML2 Authentication module in integrated mode.
      https://backstage.forgerock.com/docs/openam/13.5/admin-guide/chap-federation#saml2-integrated-mode

      On the SP, delete all entries in System -> Platform -> Cookie Domains.
      On redirection to the SP with the IDP's response, /openam/AuthConsumer/metaAlias/sp will reply.

      javax.servlet.ServletException: AMSetupFilter.doFilter
      	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:141)
      	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      root cause
      
      org.apache.jasper.JasperException: java.lang.IllegalStateException: Request not valid!
      	org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      root cause
      
      java.lang.IllegalStateException: Request not valid!
      	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrlWithKey(SAML2Proxy.java:240)
      	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:226)
      	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:134)
      	org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:64)
      	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      

      Apparently due to the authenticationStep cookie not being set in SAML2.setCookiesForRedirects().

              // Set the return URL Cookie
              for (String domain : domains) {
                  CookieUtils.addCookieToResponse(response,
                          CookieUtils.newCookie(Constants.AM_LOCATION_COOKIE, originalUrl.toString(), "/", domain));
              }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: