[AMAGENTS-70] WPA4 Fetch attributes for Not enforced URL not entirely working Created: 04/May/16  Updated: 11/Apr/17  Resolved: 07/Nov/16

Status: Closed
Project: OpenAM Agents
Component/s: Doc, Web Agents
Affects Version/s: 4.0.0
Fix Version/s: 5.0.0.0, 4.1.0

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: Chris Lee
Resolution: Fixed Votes: 0
Labels: AME, EDISON, SHAKESPEARE, regression-3-spec, release-notes, test-candidate
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Verified Version/s:
QA Assignee: edwardb
Sprint: Sprint 115 Team Shakespeare
Cases: 12812
Support Ticket IDs:
Epic Link: Docs: Agents 4.1.0 Release

 Description   

For WebAgent 4.0.0, 4.0.1 and 4.0.1-1 (with OpenAM 13.0.0), with
with the NotEnforced URL Fetch attributes enabled,
( com.sun.identity.agents.config.notenforced.url.attributes.enable=true ),
it seems that the response Attributes are not fetched from
Not-enforced URL.

Testcase

  • Install OpenAM 13. (root realm)
  • Define a single policy say ://:/test/.jsp that dump the headers
    Also do some Policy response attributes for this policy.
  • Create a webagent profile and map some Response Attribute,
    profile Attribute to HTTP_HEADERs
  • You may define a not-enforced URL to test an the not enforce case
    for checking the fetch attribute.
  • Authenticate beforehand to get the SSO token,
    test the resulting URL enforced and notenforced to see the
    Fetched HTTP header attributes.

Result

  • PolicyEnforced URL: ALL HTTP header for Profile and response appears
  • NotEnforced URL: Response attribute not seen.

Expected Result

  • NotEnforced URL: Response attribute is seen.

Some notes:

  • Debug logs on policy agent shows that the Policy agent sent "response-attriutes-only" to openam/policyservice and the returned Response Attributes does not have the Policy's response attribute when not-enforced URL is used.

<Quote>
https://forgerock.org/openam/doc/OpenAM-4.0.0-SNAPSHOT-Web-Users-Guide.pdf
Fetch Attributes for Not Enforced URLs
When enabled, the agent fetches profile, response, and session attributes
that are mapped by doing policy evaluation, and forwards these attributes to
not enforced URLs.
Property: com.sun.identity.agents.config.notenforced.url.attributes.
enable
</Quote>



 Comments   
Comment by C-Weng C [ 05/May/16 ]

Affects:

  • The features works on 3.3.4 (ie 3.3.x series) without problem for all fetch attribute types.
  • The not enforced Fetch attribute does not work on 4.0.x (for Response Policy Attribute)

The reason being that 3.3.x issues the following PLL request

 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Policy" reqid="11">
<Request><![CDATA[
<PolicyService version="1.0">
<PolicyRequest requestId="3" appSSOToken="....">
<GetResourceResults userSSOToken="..." serviceName="iPlanetAMWebAgentService" resourceName="http://openam.example.com:8000/notenforced/dumpheaders.pl" resourceScope="self">

but 4.0.x uses resourceScope="response-attributes-only".
Notice the resourceScope is self but in 4.0.x it is `resourceScope="response-attributes-only"`
So i guess the fix is in process.c:1002 to make the scope "Self".

Comment by edwardb [ 13/Oct/16 ]

For OpenAM13 and Agent 4.01

Steps
1) Authenticate against an enforced URL
2) Access the enforced URL
3) Check the response attributes should have the response attributes and the profile attributes
4) Access the non-enforced URL
5) check the response attributes and can no longer see response attributes and the profile attributes (HTTP_PROFILE_ATTR_CN) (HTTP_RESPONSE_ATTR_ONE)

The response attribute has vanished

For OpenAM13 and Agent 4.1.0RC1

1) Authenticate against an enforced URL
2) Access the enforced URL
3) Check the response attributes should have the response attributes and the profile attributes (HTTP_PROFILE_ATTR_CN, HTTP-REPSONSE_ATTR_ONE)
4) Access the non-enforced URL

The response attribute is still there

Comment by Chris Lee [ 07/Nov/16 ]

To appear in the release notes queries the Jira must:

  1. Have the Resolved status.
  2. Have the fixVersion set to the versions of the release to appear in.
  3. Have the `release-notes` label.

Where there is some manual documentation work to perform, for example a breaking change from a previous version, please create us a separate documentation Jira.
Marking as resolved so it appears in the release notes.

Generated at Mon Mar 01 22:43:33 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.