[OPENAM-4264] IDPAccountMapper.getNameID() does not receive the SP Entity ID if there is no SPNameQualifier in the SAML request Created: 30/Jul/14  Updated: 09/Dec/14  Resolved: 27/Aug/14

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 9.5.5
Fix Version/s: 10.0.3, 11.0.3, 12.0.0

Type: Bug Priority: Major
Reporter: david.hatanian@revevol.eu Assignee: Peter Major
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


The IDPAccountMapper interface states that the getNameId() method receives the entityID of the remote provider as a parameter.

However, in my tests, this entityID can be empty or null.

It is null if the SAML2 Authentication Request did not contain a NameIDPolicy.

It is empty if the SAML2 Authentication Request contained a NameIDPolicy but no SPNameQualifier.

It only has a value if the authentication request contained a NameIDPolicy with a SPNameQualifier.

This behavior is enforced in IDPSSOUtil.getSubject() and can easily be checked from the source code.

That is a major issue for anyone who wants to generate a custom NameID depending on the requesting Service Provider.

I believe the easy fix is to use the recipientEntityID as a backup if no SPNameQualifier is provided.

Comment by Peter Major [ 27/Aug/14 ]

Fixed with R10276 R10277 and R10279

Generated at Sat Nov 18 11:47:28 GMT 2017 using JIRA 7.3.6#73017-sha1:51437cf70ba5689aadb808c1cc05a46d676f5739.