Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5327

Provide an implementation of the org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider that makes use of the originalUri



    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Won't Do
    • 6.5.3, 7.0.0, 7.0.1
    • Not Applicable
    • SAML
    • IG acting as a SAML2 SP


      The current recommended org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider implementation, set via the following property in the FederationConfig.properties file


      returns a URI value based on the current request details. The internal SAML logic compares this URI to the value in the SP metadata and if these don't match, the process is halted with an error.

      The FedletRootUrlProvider implementation works when used with the documented examples but if a route combines the processing of the SAML requests (using the SamlFederationHandler) along with all other requests, and sets a baseURI decorator in the top-level of the route, then this can lead to error messages around invalid ACL values:

      SSO Failed: Invalid Assertion Consumer Location specified

      This is because by the time the request is processed within the FedletRootUrlProvider, the request has been altered by the baseURI decorator and will no longer be a match.

      The workaround is to move the baseURI decorator to a part of the route that deals with all the other requests so that the request that is processed by the FedletRootUrlProvider is unchanged.

      An alternative to using the request value would be to make use of the originalUri value returned from the UriRouterContext in a new implementation of the RootUrlProvider.


          Issue Links



              markdr Mark de Reeper
              markdr Mark de Reeper
              1 Vote for this issue
              2 Start watching this issue