[#OPENAM-5917] IdP proxy in a subrealm is unable to send SLO response to the remote SP

[OPENAM-5917] IdP proxy in a subrealm is unable to send SLO response to the remote SP Created: 28/Apr/15 Updated: 20/Nov/16 Resolved: 14/May/15
Status:	Resolved
Project:	OpenAM
Component/s:	SAML
Affects Version/s:	11.0.0, 11.0.1, 11.0.2, 12.0.0, 13.0.0
Fix Version/s:	11.0.4, 12.0.3, 13.0.0

Type:

Bug

Priority:

Major

Reporter:

Abel Hoxeng

Assignee:

Mark de Reeper

Resolution:

Fixed

Votes:

Labels:

EDISON, release-notes

Remaining Estimate:

Time Spent:

Original Estimate:

Target Version/s:

11.0.4, 12.0.3, 13.0.0

Rank:

1|hzpg3z:

Sprint:

Sprint 81 - Sustaining

Support Ticket IDs:

Description

Steps to reproduce:

Set up an IdP Proxy deployment, but make sure that at the idp proxy node everything is defined in a subrealm.
Perform a SAML login using SP initiated SSO for example
Try to perform an SP initiated SLO from the remote SP

It looks like the IDPProxyUtil always tries to retrieve the remote SP's metadata from the top level realm and hence the SLO procedure fails.

Comments

Comment by Abel Hoxeng [ 28/Apr/15 ]

From IDPProxyUtil.java

public static void sendProxyLogoutResponse(
HttpServletResponse response,
HttpServletRequest request,
String originatingRequestID,
Map infoMap,
String remoteEntity,
String binding)
throws SAML2Exception
{
String entityID = (String) infoMap.get("entityid");
if (entityID == null || entityID.equals(""))

{ throw new SAML2Exception( SAML2Utils.bundle.getString("nullIDPEntityID")); }

if (SAML2Utils.debug.messageEnabled())

{ SAML2Utils.debug.message("Proxy IDP EntityID=" + entityID); }

//TODO: need to take realm from infoMap
LogoutResponse logoutRes = LogoutUtil.generateResponse(
null, originatingRequestID,
SAML2Utils.createIssuer(entityID),
"/", SAML2Constants.IDP_ROLE,
remoteEntity);
String location = IDPSingleLogout.getSingleLogoutLocation(
remoteEntity,"/", SAML2Constants.HTTP_REDIRECT);
if (SAML2Utils.debug.messageEnabled())

{ SAML2Utils.debug.message("Proxy to: " + location); }

String relayState = (String) infoMap.get(SAML2Constants.RELAY_STATE);
LogoutUtil.sendSLOResponse(response, request, logoutRes,
location, relayState, "/", entityID,
SAML2Constants.IDP_ROLE,
remoteEntity, binding);
}

Comment by Mark de Reeper [ 14/May/15 ]

Fixed in R13780, R13781 and R13782.

Comment by Mark de Reeper [ 14/May/15 ]

Correction to earlier commit made in R13784, R13785 and R13786.

Generated at Tue Mar 02 14:00:39 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.

[OPENAM-5917] IdP proxy in a subrealm is unable to send SLO response to the remote SP Created: 28/Apr/15 Updated: 20/Nov/16 Resolved: 14/May/15