[OPENAM-15533] WS-Federation doesn't work with Authentication Trees Created: 11/Oct/19 Updated: 12/Mar/20 Resolved: 21/Oct/19
|Fix Version/s:||6.0.1, 18.104.22.168, 5.5.2, 7.0.0, 6.5.3|
|Reporter:||Brad Tarisznyas||Assignee:||Lawrence Yarham|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||AM Sustaining Sprint 68|
|Support Ticket IDs:|
|Needs QA verification:||
|Are the reproduction steps defined?:||
Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
When the realm is configured with an Authentication Tree, and the WS_Fed is invoked, on successful authentication, a HTTP 500 is returned to the browser.
The WS-Fed integration works if the realm authentication is changed to a standard chain (say ldapservice).
Add a "Set Session Properties" node in the tree before success, with the following key/value:
"AuthType":<name of tree>
Note that the value seems to be unimportant for the federation to succeed, but for best practice it should be set to something meaningful (i.e. the name of the tree that authenticated the user)
The reason for this is that in IPSigninRequest.sendResponse, the auth method ("authMethod") is retrieved from the session which maps somehow to "AuthType" in the session.
When using chains/modules, this is the module that authenticated the user. However it is not set when using Trees and results in the NullPointerException.
|Comment by Lawrence Yarham [ 21/Oct/19 ]|
Have fixed (for both WS-Fed and SAML 1.x flows - see reproduction steps in comments above for each) for master (7.0.0 snapshot) and have backported to 6.5.x and 6.0.x sustaining branches. Backport for 5.5.x is created and tested and PR is open, awaiting completion of 5.5.2 codefreeze.