[OPENAM-5917] IdP proxy in a subrealm is unable to send SLO response to the remote SP Created: 28/Apr/15  Updated: 20/Nov/16  Resolved: 14/May/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 12.0.0, 13.0.0
Fix Version/s: 11.0.4, 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Abel Hoxeng Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: 3h
Time Spent: 1h
Original Estimate: 6h

Target Version/s:
Rank: 1|hzpg3z:
Sprint: Sprint 81 - Sustaining
Support Ticket IDs:


Steps to reproduce:

  • Set up an IdP Proxy deployment, but make sure that at the idp proxy node everything is defined in a subrealm.
  • Perform a SAML login using SP initiated SSO for example
  • Try to perform an SP initiated SLO from the remote SP

It looks like the IDPProxyUtil always tries to retrieve the remote SP's metadata from the top level realm and hence the SLO procedure fails.

Comment by Abel Hoxeng [ 28/Apr/15 ]

From IDPProxyUtil.java

public static void sendProxyLogoutResponse(
HttpServletResponse response,
HttpServletRequest request,
String originatingRequestID,
Map infoMap,
String remoteEntity,
String binding)
throws SAML2Exception
String entityID = (String) infoMap.get("entityid");
if (entityID == null || entityID.equals(""))

{ throw new SAML2Exception( SAML2Utils.bundle.getString("nullIDPEntityID")); }

if (SAML2Utils.debug.messageEnabled())

{ SAML2Utils.debug.message("Proxy IDP EntityID=" + entityID); }

//TODO: need to take realm from infoMap
LogoutResponse logoutRes = LogoutUtil.generateResponse(
null, originatingRequestID,
"/", SAML2Constants.IDP_ROLE,
String location = IDPSingleLogout.getSingleLogoutLocation(
remoteEntity,"/", SAML2Constants.HTTP_REDIRECT);
if (SAML2Utils.debug.messageEnabled())

{ SAML2Utils.debug.message("Proxy to: " + location); }

String relayState = (String) infoMap.get(SAML2Constants.RELAY_STATE);
LogoutUtil.sendSLOResponse(response, request, logoutRes,
location, relayState, "/", entityID,
remoteEntity, binding);

Comment by Mark de Reeper [ 14/May/15 ]

Fixed in R13780, R13781 and R13782.

Comment by Mark de Reeper [ 14/May/15 ]

Correction to earlier commit made in R13784, R13785 and R13786.

Generated at Tue Mar 02 14:00:39 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.