[OPENAM-5120] SAML2 SP in a sub-realm not fully functional after OPENAM-474 Created: 25/Nov/14  Updated: 20/Nov/16  Resolved: 10/Feb/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 11.0.2, 12.0.0, 13.0.0
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Nathalie Hoet Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 1
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: 5h
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-474 Dynamic User Creation not populating ... Closed
Target Version/s:
Sprint: Sprint 76 - Sustaining
Support Ticket IDs:
Verified Version/s:

 Description   

When having a SP in a subrealm with 11.0.2, some functionality is lost. Through testing I confirmed that auto-federation is an issue as well as creating a user account locally.

To reproduce:

Create a SP in a sub-realm
Enable Auto-Federation

(I used NameID Format transient and Dynamic profile, but there are issues in other configurations too)

The issue is caused by the fix for OPENAM-474, more specifically in FMSessionProvider.java:

   ac.login(AuthContext.IndexType.MODULE_INSTANCE, "Federation", null, null, request, response);

At some point during the SAML process, the realm coming from the authentication context is compared (and must match) the realm coming from the query string. However the piece of code above means that the organization parameter for the query string returns null; instead, the code will then use DNS Alias to determine the realm, which ends up being the top realm; as it does not match, authentication fails.

Workaround:

The following workaround worked for me:

Make sure alias.example.com can be accessed from outside
Access as usual: http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=idp&metaAlias=/test/sp



 Comments   
Comment by Nathalie Hoet [ 14/Jan/15 ]

Adding Stack trace:

ERROR: spAssertionConsumer.jsp: SSO failed.
com.sun.identity.saml2.common.SAML2Exception: Authentication Error!!|auth_error_template.jsp
at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1333)
at jsp_servlet.saml2._jsp.spassertionconsumer._jspService(_spassertionconsumer.java:250)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: com.sun.identity.plugin.session.SessionException: Authentication Error!!|auth_error_template.jsp
at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:225)
at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1312)
... 20 more
Caused by: com.sun.identity.authentication.spi.AuthLoginException: Authentication Error!!|auth_error_template.jsp
at com.sun.identity.authentication.service.AMLoginContext.processIndexType(AMLoginContext.java:1831)
at com.sun.identity.authentication.service.AMLoginContext.executeLogin(AMLoginContext.java:337)
at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:544)
at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:419)
at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:777)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:671)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:614)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:601)
at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:223)
... 21 more

Comment by Peter Major [X] (Inactive) [ 10/Feb/15 ]

Resolved with R12423 R12424 and R12425

Comment by Richard Hruza [ 18/Mar/15 ]

Tested with: OpenAM 11.0.3 (2015-March-02 15:50)

Setup:
SP and IDP created for subrealm
auto-federation = enabled (Attribute = uid)
User Profile = Dynamic profile
Attribute map = cn, sn, uid, mail, givenName

Test:
Create a user on IDP machine
SSO login with new user = successfully login
User is created on SP machine and has all attributes = cn, sn, uid, mail, givenName

Generated at Mon Oct 19 15:59:04 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.