[OPENAM-12914] OpenDj Password Policy preventing SamL dynamic user in being created Created: 13/Apr/18  Updated: 13/Apr/18  Resolved: 13/Apr/18

Status: Closed
Project: OpenAM
Component/s: authentication, SAML, WS Federation
Affects Version/s: 5.5.1
Fix Version/s: None

Type: Bug Priority: Blocker
Reporter: Jobby Thomas Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

AM 5.5.1
OpenDj


Issue Links:
Duplicate
duplicates OPENAM-11521 OpenAM should not generate a password... Open
Support Ticket IDs:

 Description   

OpenAM is acting as an SP, and client need to dynamically provision accounts if they don't exist from an incoming SAML assertion. Client have set up the hosted SP according to this guide: https://backstage.forgerock.com/docs/am/5.5/saml2-guide/#auto-federation
Where Client want to map users based off the mail attribute ("email" in the incoming SAML assertion).
However, client receive an error when a user attempts to federate (and the user is sent back to the openam login screen):
SPACSUtils.processResponse : error code=-1
com.sun.identity.plugin.session.SessionException: Login failed with unknown reason.

Furthermore, client is using password policy from Open DJ

Upon troubleshooting and trying 2-3 tests
when creating a SAML Dynamic User with the password policy(following the rules of the policy); it fails
it gives the following error in the authentication logs

amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
Creating user entry: 
amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
aliasList : null
amAuth:04/13/2018 12:44:02:275 PM EDT: Thread[default task-1,5,main]: TransactionId[]
userCreationAttributes is : {EEEmployeeId=[], EECaseId=[], sn=[Masek], mail=[, givenName=[]}
amAuth:04/13/2018 12:44:02:288 PM EDT: Thread[default task-1,5,main]: TransactionId[]
ERROR: Cannot create user profile for: 
amAuth:04/13/2018 12:44:02:288 PM EDT: Thread[default task-1,5,main]: TransactionId[]
Stack trace: 
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'

 at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508)
 at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688)
 at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)
 at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:463)
 at com.sun.identity.authentication.service.LoginState.createUserIdentity(LoginState.java:5448)
 at com.sun.identity.authentication.service.LoginState.createUserProfile(LoginState.java:1925)
 at com.sun.identity.authentication.service.LoginState.getCreateUserProfile(LoginState.java:2553)
 at com.sun.identity.authentication.service.LoginState.searchUserProfile(LoginState.java:2394)
 at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:553)
 at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
 at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1235)
 at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1221)
 at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:245)
 at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1220)
 at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
 at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
 at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:402)
 at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:346)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
 at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:130)
 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(Audit

in federation logs

libSAML2:04/13/2018 12:44:02:292 PM EDT: Thread[default task-1,5,main]: TransactionId[]
ERROR: spAssertionConsumer.jsp: SSO failed.
com.sun.identity.saml2.common.SAML2Exception: Login failed with unknown reason.
 at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1241)
 at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:317)
 at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
 at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:402)
 at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:346)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
 at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
 at io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:130)
 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
 at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)

ldrepo

DJLDAPv3Repo:04/13/2018 12:44:02:284 PM EDT: Thread[default task-1,5,main]: TransactionId[]
ERROR: Unable to add a new entry:  attrMap: {givenName=[], cn=[], objectclass=[iplanet-am-managed-person, inetuser, sunFederationManagerDataStore, sunFMSAML2NameIdentifier, inetorgperson, devicePrintProfilesContainer, sunIdentityServerLibertyPPService, pushDeviceProfilesContainer, iPlanetPreferences, iplanet-am-user-service, forgerock-am-dashboard-service, organizationalperson, top, EEOC, kbaInfoContainer, oathDeviceProfilesContainer, person, sunAMAuthAccountLockout, iplanet-am-auth-configuration-service], sn=[Masek], inetuserstatus=[Active], EECaseId=[5], uid=[], EEEmployeeId=[], mail=[], userpassword=xxx...}
org.forgerock.opendj.ldap.ConstraintViolationException: Constraint Violation: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'
 at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:190)
 at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:640)
 at org.forgerock.opendj.ldap.LdapClientImpl$Exchange.onNext(LdapClientImpl.java:554)
 at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.tryOnNextFastPath(DemultiplexerImpl.java:432)
 at org.forgerock.opendj.ldap.DemultiplexerImpl$DemultiplexedStream.onNextAndOptionallyComplete(DemultiplexerImpl.java:392)
 at org.forgerock.opendj.ldap.DemultiplexerImpl.onNext(DemultiplexerImpl.java:162)
 at io.reactivex.internal.operators.flowable.FlowableDoFinally$DoFinallySubscriber.onNext(FlowableDoFinally.java:85)
 at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachSubscriber.onNext(FlowableDoOnEach.java:91)
 at io.reactivex.internal.operators.flowable.FlowableOnErrorNext$OnErrorNextSubscriber.onNext(FlowableOnErrorNext.java:69)
 at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.tryOnNext(FlowableFilter.java:74)
 at io.reactivex.internal.operators.flowable.FlowableFilter$FilterSubscriber.onNext(FlowableFilter.java:52)
 at io.reactivex.internal.operators.flowable.FlowableDoOnEach$DoOnEachConditionalSubscriber.onNext(FlowableDoOnEach.java:208)
 at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter$GrizzlyReader.handleRead(GrizzlyLdapSocketFilter.java:201)
 at org.forgerock.opendj.grizzly.GrizzlyLdapSocketFilter.handleRead(GrizzlyLdapSocketFilter.java:102)
 at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
 at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
 at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
 at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
 at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
 at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
 at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:539)
 at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
 at org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:103)
 at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89)
 at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:415)
 at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:384)
 at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:348)
 at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:279)
 at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
 at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
 at java.lang.Thread.run(Thread.java:745)
amIdm:04/13/2018 12:44:02:287 PM EDT: Thread[default task-1,5,main]: TransactionId[]
ERROR: IdServicesImpl.create: Create: Fatal Exception
Message:Plug-in org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo encountered an ldap exception 19: The password value for attribute userPassword was found to be unacceptable: The provided password did not contain characters from at least 3 of the following character sets or ranges: '~!@#$%^&*()-_=+[]{}|;:,.<>/?', '0123456789', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'

 at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.handleErrorResult(DJLDAPv3Repo.java:2508)
 at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.create(DJLDAPv3Repo.java:688)
 at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:427)


 Comments   
Comment by Jobby Thomas [ 13/Apr/18 ]

duplicate of 

https://bugster.forgerock.org/jira/browse/OPENAM-11521

Generated at Sat Oct 31 02:17:25 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.