Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-3765

CDSSO filter causes POST/redirect loop when used with auth tree

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: OpenAM
    • Labels:
    • Environment:
      IG 7.0.0-M2019.5, AM 6.5.2

      Description

      To reproduce:
      1) Set up AM and IG for CDSSO as per the Gateway Guide chapter 5.3. AM service configuration should look something like this:

      {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "url": "http://login.domain.name:80/am",
              "realm": "/myRealm",
              "ssoTokenHeader": "iPlanetDirectoryPro",
              "version": "6.5.2",
              "agent": {
                "username": "ig-agent",
                "password": "Passw0rd"
              },
              "sessionCache": {
                "enabled": false
              }
            }
          }
      

      2) Create a route that includes the CDSSO filter, like this:

      "type": "Chain",
          "config": {
            "filters": [
              {
                "name": "CrossDomainSingleSignOnFilter-1",
                "type": "CrossDomainSingleSignOnFilter",
                "config": {
                  "redirectEndpoint": "/ig/cdssoredirect",
                  "authCookie": {
                    "path": "/",
                    "name": "ig-token-cookie",
                    "domain": "customera.testdomain.name"
                  },
                  "amService": "AmService-1"
                }
              },
      

      and an arbitrary protected resource (in my case a static response handler).

      3) Test the flow with e.g. user demo - works.
      4) Now on AM, change the realm's organization's authentication configuration from the default ldapService to a tree, for instance the 'Example' one.
      5) Clear cookies and re-test the flow. You'll see a loop of POSTs to the cdssoredirect endpoint on IG, followed by a 302 to AM's oauth2/authorize endpoint, until the loops eventually stops with a 200 and the error message

      Error 'invalid_request' during authentication because of 'Invalid request on redirect endpoint'

      .

      On comparing the session tokens produced by the chain vs. the tree, I noticed the following differences:
      successURL : points to "/am/console" (chain), but to ".../oauth2/authorize/..." (tree)
      AuthType : "DataStore" (chain) , not present (tree).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              tim.vogt Tim Vogt
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: