[OPENAM-5120] SAML2 SP in a sub-realm not fully functional after OPENAM-474 Created: 25/Nov/14 Updated: 20/Nov/16 Resolved: 10/Feb/15
|Affects Version/s:||11.0.2, 12.0.0, 13.0.0|
|Fix Version/s:||11.0.3, 12.0.1, 13.0.0|
|Reporter:||Nathalie Hoet||Assignee:||Peter Major [X] (Inactive)|
|Remaining Estimate:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||Sprint 76 - Sustaining|
|Support Ticket IDs:|
When having a SP in a subrealm with 11.0.2, some functionality is lost. Through testing I confirmed that auto-federation is an issue as well as creating a user account locally.
Create a SP in a sub-realm
(I used NameID Format transient and Dynamic profile, but there are issues in other configurations too)
The issue is caused by the fix for
At some point during the SAML process, the realm coming from the authentication context is compared (and must match) the realm coming from the query string. However the piece of code above means that the organization parameter for the query string returns null; instead, the code will then use DNS Alias to determine the realm, which ends up being the top realm; as it does not match, authentication fails.
The following workaround worked for me:
Make sure alias.example.com can be accessed from outside
|Comment by Nathalie Hoet [ 14/Jan/15 ]|
Adding Stack trace:
ERROR: spAssertionConsumer.jsp: SSO failed.
|Comment by Peter Major [X] (Inactive) [ 10/Feb/15 ]|
Resolved with R12423 R12424 and R12425
|Comment by Richard Hruza [ 18/Mar/15 ]|
Tested with: OpenAM 11.0.3 (2015-March-02 15:50)