[OPENAM-3470] The SAML2 nameid should not be persisted if the nameid-format is not persistent Created: 18/Dec/13 Updated: 05/Mar/19 Resolved: 20/May/15 |
|
Status: | Resolved |
Project: | OpenAM |
Component/s: | SAML |
Affects Version/s: | 11.0.0 |
Fix Version/s: | 11.0.4, 12.0.3, 13.0.0 |
Type: | Bug | Priority: | Major |
Reporter: | Zoltan Tarcsay | Assignee: | Peter Major [X] (Inactive) |
Resolution: | Fixed | Votes: | 2 |
Labels: | EDISON, release-notes, test-candidate | ||
Remaining Estimate: | 0h | ||
Time Spent: | 31h | ||
Original Estimate: | 2h |
Issue Links: |
|
||||||||||||||||||||||||
Target Version/s: | |||||||||||||||||||||||||
Sprint: | Sprint 81 - Sustaining, Sprint 82 - Sustaining | ||||||||||||||||||||||||
Support Ticket IDs: |
Description |
The SAML2 nameid gets persisted whenever the nameid-format is not transient. This has undesired side effects, such as when the nameid-format is emailAddress (mapped to the mail attribute for instance) and a user's email address changes, but the persisted sun-fm-saml2-nameid-infokey value will still contain the old value of mail. |
Comments |
Comment by Peter Major [X] (Inactive) [ 29/Jan/15 ] |
Hard commit for including this fix in 11.0.4, hopefully will fit into 12.0.1 as well. |
Comment by Peter Major [X] (Inactive) [ 13/May/15 ] |
The IdP side of the fix:
The surrounding logic around NameID persistence can be summed up now with the following:
|
Comment by Peter Major [X] (Inactive) [ 14/May/15 ] |
The SP side of the fix:
|
Comment by Peter Major [X] (Inactive) [ 20/May/15 ] |
Fixed with R13887&R13888 R13889&R13890 and R13891&R13892 |