Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-384

JwtSession with SAML 2.0 causes loop with OpenAM

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.0
    • 3.1.0
    • Core
    • 3.1 - QA sprint / bug fixing

    Description

      When setting up OpenIG as described in http://openig.forgerock.org/doc/gateway-guide/index.html#chap-federation with a recent build of OpenAM, OpenAM 12.0.0-SNAPSHOT Build 11387 (2014-November-12 02:35), using "session": "JwtSession" in the 05-saml.json and 05-federate.json routes causes an infinite loop after login.

      Changing to "_session": "JwtSession" eliminates the problem.

      When the default session implementation is used, if I "capture": "filtered_request" on the "StaticRequestFilter" in 05-federate.json, I see this:

      2014-11-17T07:31:01Z:Capture[{StaticRequestFilter}/heap/objects/0/config/bindings/1/handler/config/filters/0].Capture[{StaticRequestFilter}/heap/objects/0/config/bindings/1/handler/config/filters/0]:INFO:
      
      --- (filtered-request) exchange:73934917 --->
      
      POST http://www.example.com:8081 HTTP/1.1
      Content-Length: 33
      Content-Type: application/x-www-form-urlencoded
      
      password=costanza&username=george
      Exchange's content as JSON (without request/response):
      {
          "principal": null,
          "session": {
              "password": "costanza",
              "sessionIndexMapping": "s223d119ca449d92bc9f58821a1bc83f4ee1e8d901",
              "username": "george",
              "subjectName": "44oXDySls9DOdH4eAKwBgKxVbp2l"
          },
          "clientInfo": {
              "remoteHost": "0:0:0:0:0:0:0:1",
              "remoteAddress": "0:0:0:0:0:0:0:1",
              "remotePort": 51615,
              "remoteUser": null,
              "certificates": [
                  
              ],
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0"
          }
      }
      

      That never shows up when the JwtSession implementation is used. Perhaps "condition": "${empty exchange.session.username}" is always true.

      I'll attached the configuration files that I'm using, though they're very close to what is used in the documentation.

      Attachments

        Activity

          People

            guillaume.sauthier Guillaume Sauthier
            Mark Mark Craig
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: