[OPENAM-12972] SAML2 Auth Module fails with empty SAML2 Advice assertion. Created: 21/Apr/18  Updated: 13/May/18  Resolved: 13/May/18

Status: Resolved
Project: OpenAM
Component/s: authentication, SAML
Affects Version/s: 5.5.1, 6.0.0
Fix Version/s: 13.5.3, 14.1.2, 6.5.0, 5.5.2

Type: Bug Priority: Minor
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Java Source File InjectXMLAdapter.java    
Sprint: AM Sustaining Sprint 51
Story Points: 2
Epic Link: Elastically scalable - SAML
Needs backport:
No
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When using SAML2 Integrated module and the Assertion having a SAML2 Advice elament
it is possible that the following happen:

Exception 
javax.security.auth.login.LoginException: java.lang.StringIndexOutOfBoundsExcept
ion: String index out of range: -1
        at java.lang.AbstractStringBuilder.deleteCharAt(AbstractStringBuilder.ja
va:824)
        at java.lang.StringBuilder.deleteCharAt(StringBuilder.java:253)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.linkAttribute
Values(SAML2.java:678)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionAtt
ributes(SAML2.java:515)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2
.java:500)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.handleReturnF
romRedirect(SAML2.java:347)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.process(SAML2
.java:177)

How to reproduce the issue

  1. Create IDP and the IDP Response contains a Advice on the empty Assertion (can use IDP DefaultAdapter preSign to inject this)
  2. Setup SAML2 on the SP machine & authenticate to this SP.
  3. When this link Attributes the error happens and authentication fails.

Can install this on the IDP with that create an Advice on the Assertion resppnse by adding a IDPAdapter. Then use the SP SAML2 Auth module to this IDP. A Sample IDPAdapter is provided in the attachment

Expected behaviour
No error
Current behaviour
Failure with exceptions in Authentication logs

Work around

Code analysis

SAML2.java
        if (assertion.getAdvice() != null) {
            List<String> creds = assertion.getAdvice().getAdditionalInfo();
            attrMap.put(SAML2Constants.DISCOVERY_BOOTSTRAP_CREDENTIALS, new HashSet<>(creds)); <---- *** ISSUE *** (empty)
        }

        for (String name : attrMap.keySet()) {
            Set<String> value = attrMap.get(name);
            StringBuilder toStore = new StringBuilder();

            // | is defined as the property value delimiter, cf FMSessionProvider#setProperty
            for (String toAdd : value) {
                toStore.append(com.sun.identity.shared.StringUtils.getEscapedValue(toAdd))
                        .append(PROPERTY_VALUES_SEPARATOR);
            }
            toStore.deleteCharAt(toStore.length() - 1); <---- toStore is 0 LENGTH
            setUserSessionProperty(name, toStore.toString());

The obvious fix is that

if (value.size() > 0)  {
            for (String toAdd : value) {
                toStore.append(com.sun.identity.shared.StringUtils.getEscapedValue(toAdd))
                        .append(PROPERTY_VALUES_SEPARATOR);
            }
            toStore.deleteCharAt(toStore.length() - 1); 
} 

Generated at Thu Sep 24 14:52:54 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.