[OPENAM-15562] SAML2 crosstalk fails when Accept-Language header is missing from the original request Created: 17/Oct/19  Updated: 07/Feb/20  Resolved: 18/Oct/19

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 5.5.1, 6.0.0, 6.5.0, 7.0.0
Fix Version/s: 6.0.1, 6.5.2.3, 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: AME, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Epic Link: Elastically scalable - SAML
Needs backport:
Yes
Verified Version/s:

 Description   

Bug description

When SAML performs a crosstalk for an SSO or an SLO request, it attempts to replay the Accept-Language header, however the code does not seem to handle the case when the header is missing from the request. This results in failed crosstalk request, and can potentially result in the infamous IDP session is NULL error message.

How to reproduce the issue

  • Set up 2 hosted IdPs in a site, and 2 separate SPs
  • perform SP initiated SSO with the first SP
  • perform SP initiated SSO with the second SP, but make sure that the request will hit a different IdP instance than the previous step did. (use amlbcookie based LB routing, and change the amlbcookie value in the browser for the LB's domain)
Expected behaviour

Authentication should succeed, because AM performs a crosstalk request to the first request.

Current behaviour

SAML SSO fails with IDP session is NULL error message.

Work around

Enable SAML2 failover.



 Comments   
Comment by Ľubomír Mlích [ 07/Feb/20 ]

Reproduced in ForgeRock Access Management 6.5.2.2 Build 512c5a2f00 (2019-October-30 10:12), there was HTTP 500
Verified in ForgeRock Access Management 6.5.2.3-M1 Build 26261986e5 (2020-February-03 13:51), SSO

Reproduction steps

I have two IDP instances at

in site
http://idp.test.forgerock.com:8080/openam
I add idp1 as idp.test.forgerock.com to /etc/hosts of my computer and SP servers also
I have to separate SP servers in SAML2 cot:

Now I start testing by going to:
1. goto http://sp1.test.forgerock.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=IDP
2. I modify my /etc/hosts to contain idp2 ip address as idp.test.forgerock.com
3. modify browser configuration to use proxy at localhost:8080
3. start mitmproxy on that port and intercept requests (press i) to idp.test.forgerock.com
4. goto http://sp2.test.forgerock.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=IDP
5. remove Accept-Language header from intercepted request in mitmproxy and allow it to go to IDP (press a)
6. allow reply for IDP to browser (press a)

Generated at Fri Nov 27 05:54:49 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.