Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5327

Provide an implementation of the org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider that makes use of the originalUri

    XMLWordPrintable

    Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Won't Do
    • 6.5.3, 7.0.0, 7.0.1
    • Not Applicable
    • SAML
    • IG acting as a SAML2 SP

      Description

      The current recommended org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider implementation, set via the following property in the FederationConfig.properties file

      com.sun.identity.plugin.root.url.class.default=org.forgerock.openam.federation.plugin.rooturl.impl.FedletRootUrlProvider
      

      returns a URI value based on the current request details. The internal SAML logic compares this URI to the value in the SP metadata and if these don't match, the process is halted with an error.

      The FedletRootUrlProvider implementation works when used with the documented examples but if a route combines the processing of the SAML requests (using the SamlFederationHandler) along with all other requests, and sets a baseURI decorator in the top-level of the route, then this can lead to error messages around invalid ACL values:

      SSO Failed: Invalid Assertion Consumer Location specified
      

      This is because by the time the request is processed within the FedletRootUrlProvider, the request has been altered by the baseURI decorator and will no longer be a match.

      The workaround is to move the baseURI decorator to a part of the route that deals with all the other requests so that the request that is processed by the FedletRootUrlProvider is unchanged.

      An alternative to using the request value would be to make use of the originalUri value returned from the UriRouterContext in a new implementation of the RootUrlProvider.

        Attachments

          Issue Links

            Activity

              People

              markdr Mark de Reeper
              markdr Mark de Reeper
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: