[OPENAM-11217] SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method. Created: 30/May/17  Updated: 28/Nov/17  Resolved: 14/Jun/17

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 13.5.0, 14.0.0
Fix Version/s: 13.5.2, 14.1.1, 14.5.0

Type: Bug Priority: Minor
Reporter: Kamal Sivanandam Assignee: Kamal Sivanandam
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux/Tomcat 8.5.9


Attachments: File ADFS_SPAdapter-1.0.0-SNAPSHOT.jar    
Issue Links:
Duplicate
is duplicated by OPENAM-11108 OpenAM SPAdapter.preSingleSignOnReque... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 39
Story Points: 2
Support Ticket IDs:
Verified Version/s:

 Description   

SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method. The same works fine while using the spssoinit.jsp.

SPSSOFederate#initiateAuthnRequest()

            // create AuthnRequest 
            AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap,
                    extensionsList, spsso, idpsso, ssoURL, false);
            if (null != auditor && null != authnRequest) \{
                auditor.setRequestId(authnRequest.getID());
            }

            // invoke SP Adapter class if registered
            SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realmName);
            if (spAdapter != null) \{
                spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID, realmName, request, response, authnRequest);
            }

            String authReqXMLString = authnRequest.toXMLString(true, true);

and the same pattern is followed at SPSSOFederate#initiateECPRequest()

            // create AuthnRequest 
            AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID,
                paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null,
                true);

            // invoke SP Adapter class if registered
            SAML2ServiceProviderAdapter spAdapter =
                SAML2Utils.getSPAdapterClass(spEntityID, realm);
            if (spAdapter != null) \{
                spAdapter.preSingleSignOnRequest(spEntityID, realm, null,
                    request, response, authnRequest);
            }

            String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
                SAML2Constants.SP_ROLE);

Whereas if we use SAML2 Authentication module SAML2#initiateSAMLLoginAtIDP() it is calling SPSSOFederate.createAuthnRequest and missing to invoke SP Adapter class registered.

String ssoURL = endPoint.getLocation();
        SAML2Utils.debug.message("SAML2 :: initiateSAMLLoginAtIDP()  ssoURL : \{}", ssoURL);

        final List extensionsList = SPSSOFederate.getExtensionsList(spEntityID, realm);
        final Map<String, Collection<String>> spConfigAttrsMap
                = SPSSOFederate.getAttrsMapForAuthnReq(realm, spEntityID);
        authnRequest = SPSSOFederate.createAuthnRequest(realm, spEntityID, params,
                spConfigAttrsMap, extensionsList, spsso, idpsso, ssoURL, false);
        final AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, null,
                authnRequest, null, params);

        synchronized (SPCache.requestHash) \{
            SPCache.requestHash.put(authnRequest.getID(), reqInfo);
        }

        saveAuthnRequest(authnRequest, reqInfo);

One possible solution could be to move the code block to SPSSOFederate#createAuthnRequest().

Workaround: This will affect only if there is a custom SP Adapter and try using spssoinit.jsp.



 Comments   
Comment by Ľubomír Mlích [ 29/Jun/17 ]

Hello,

is it possible to describe more in detail how to verify the bug?

1. Set Federaion environment with IDP and SP
2. On SP openAM in hosted SP configuration set SPAdapter option to what value? Is there testing class or it is necessary to write some myself?
3. Add SAML2 authentication module to default authentication chain
4. Login and see if post authenticaion algorithm task is done

Thanks

Comment by Ľubomír Mlích [ 30/Jun/17 ]

Thanks for help. I think I've configured it ok, but still don't see preSingleSignOnRequest() from the Adapter executed when using SAML2 module to authenticate. I see it is executed when calling spSSOInit.jsp

Steps:

  1. Set Federaion environment with IDP and SP
  2. Install custom adapter (stop AM, cp ADFS_SPAdapter-1.0.0-SNAPSHOT.jar /opt/tomcat/webapps/openam/WEB-INF/lib/, start AM, change config of hosted SP - Assertion processing - Adapter = com.forgerock.demo.federation.ADFSServiceProviderAdapter)
  3. Create SAML authentication chain witth SAML2 module using reconfigured hosted SP (IdP Entity ID=hosted_IDP, SP MetaAlias=/sp)

Then I try:

  1. http://sp.example.com:8082/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=hosted_IDP
  2. http://sp.example.com:8082/openam/XUI/#login/authIndexType=service&authIndexValue=samlChain

Which should imho do the same, but it is not. First will write to debug log a second do not. I have the same behavior in 14.0 and 14.1.1-M3.
Can You check it again, please?

Thank You.

Comment by Nemanja Lukic [ 18/Jul/17 ]

Verified in RC1 for 14.1.1

Generated at Sat Nov 28 12:10:19 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.