[OPENAM-14581] handling ManageNameID fails if NameID does not include SPNameQualifier Created: 11/Mar/19  Updated: 28/Jun/19  Resolved: 19/Apr/19

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0,,,,,, 6.5.0,,, 7.0.0
Fix Version/s:, 6.5.2, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Oracle JDK jdk1.8.0_201
Apache Tomcat/9.0.8
AM 7.0.0 (c36edcc20aab37e8bc86e092e0552951ba0cc6a5)

Attachments: File OPENAM-14581-diff.git    
Target Version/s:
Sprint: AM Sustaining Sprint 61, AM Sustaining Sprint 62
Story Points: 3
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

Producing a ManageNameID response fails if the NameID element of the ManangeNameID request does not include optional attribute SPNameQualifier.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Configure AM as SAML SP
  2. Configure some IdP
  3. Perform account linking flow
  4. Perform IdP-initiated ManageNameID flow to terminate account linking. NameID in the ManageNameID request must not include SPNameQualifier.
Expected behaviour
Account linking should be terminated.
Current behaviour
ManageNameID request fails

Code analysis

    private static NameIDInfo getNameIDInfo(String userID, String hostEntityID,
        String remoteEntityID, String hostRole, String realm,
        String affiliationID, boolean invalidAffiIDAllowed)
        throws SAML2Exception {
        NameIDInfo nameInfo = null;
        if (affiliationID != null) {
            AffiliationDescriptorType affiDesc =
                metaManager.getAffiliationDescriptor(realm, affiliationID);
            if (affiDesc != null) {
                if (hostRole.equals(SAML2Constants.SP_ROLE)) {
                    if (!affiDesc.getAffiliateMember().contains(hostEntityID)){
                        throw new SAML2Exception(SAML2Utils.bundle.getString(
                    nameInfo = AccountUtils.getAccountFederation(userID,
                        affiliationID, remoteEntityID);
                } else {
                    if (!affiDesc.getAffiliateMember().contains(
                        remoteEntityID)) {
                        throw new SAML2Exception(SAML2Utils.bundle.getString(
                    nameInfo = AccountUtils.getAccountFederation(userID,
                        hostEntityID, affiliationID);
            } else if (invalidAffiIDAllowed) {
                nameInfo = AccountUtils.getAccountFederation(userID,
                    hostEntityID, remoteEntityID);
            } else {
                throw new SAML2Exception(SAML2Utils.bundle.getString(
        } else {
            nameInfo = AccountUtils.getAccountFederation(userID, hostEntityID,

        return nameInfo;

affiliationID is not null when SPNameQualifier ist not set, but empty.

Comment by Bernhard Thalmayr [ 11/Mar/19 ]

Attached a proposed fix based on master (c36edcc20aab37e8bc86e092e0552951ba0cc6a5)

Comment by Ľubomír Mlích [ 15/May/19 ]

Reproduced in AM, I can see error as described
Verified as fixed on AM, there is no error and request succeeds.

  • I used Chrome extension Tamper in step 5 of Lawrence's reproduction steps (nice!) to intercept request in browser
  • SAML request from Tamper was URL decoded then base64 decoded and deflated using https://www.samltool.com
  • then I modified request by removing SPNameQualifier attribute and value from XML
  • inflated, base64 encoded and URL encoded resulting XML again using https://www.samltool.com
  • resulting value put back to intercepted request in Tamper
  • allowed Tamper to send modified request
Generated at Wed Sep 30 02:32:02 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.