[OPENAM-13617] IDP initiated MNI requests to terminate link fail Created: 20/Sep/18  Updated: 29/Jul/19  Resolved: 29/Jul/19

Status: Closed
Project: OpenAM
Component/s: SAML
Affects Version/s: 5.5.2
Fix Version/s: 5.5.2

Type: Bug Priority: Major
Reporter: Ľubomír Mlích Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Target Version/s:
Verified Version/s:


Bug description

Terminate Federation from IDP test fails in 5.5.2, see https://ci.forgerock.org/job/AM-5.5.x/job/OpenAM-Federation/19/ and it is not working in 5.5.1 too, there are 2 more errors, see: https://ci.forgerock.org/job/AM-5.5.x/job/OpenAM-Federation/20/

How to reproduce the issue

  1. configure IDP - SP scenario
  2. link users by logging in on both IDP and SP http://idp.localtest.me:8080/openam/idpssoinit?metaAlias=/idp&spEntityID=oam_sp
  3. terminate link by http://sp.localtest.me:8081/openam/SPMniInit?idpEntityID=idp.localtest.me&metaAlias=/sp&requestType=Terminate
  4. repeat step 2 to create link again
  5. terminate link by http://idp.localtest.me:8080/openam/IDPMniInit?spEntityID=oam_sp&metaAlias=/idp&requestType=Terminate
  6. repeat step 2 to verify that link is terminated
Expected behaviour
In step 5 there is message that Federation is terminated. In step 6 we have to login on IdP and then on SP to create link again.
Current behaviour
In step 5 there is redirect to login. In step 6 there is only one login as link is still there.
There is also invalid session error in debug log: 
amSSOProvider:09/20/2018 02:24:52:471 odp. CEST: Thread[http-nio-8080-exec-1,5,main]: TransactionId[d8c44642-5469-4071-b2e5-725e18da49a6-844]
could not create SSOToken from HttpRequest (Invalid session ID.Session not found. This likely means it has expired and been removed.)

Work around

Do SP initiated Federation Termination instead of IDP initiated.

Comment by Ľubomír Mlích [ 09/Oct/18 ]

It is working well in 5.5.2-RC2 - sun-fm-saml2-nameid-infokey LDAP attribute was removed - however I needed to close browser and open it again before step 4 and before step 6. There was only one login window if I didn't, probably due to some caching. Not sure if that needs further attention.

Comment by Ľubomír Mlích [ 29/Jul/19 ]

reopening to add verified version

Generated at Wed Nov 25 05:05:23 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.