[OPENAM-71] SAML2 error handling in HTTP POST and Redirect bindings Created: 23/Apr/10 Updated: 15/Apr/19
|Affects Version/s:||9.5.5, 10.0.1, 10.1.0-Xpress, 11.0.0, 13.0.0, 13.5.0, 6.5.0, 7.0.0|
|Labels:||AME, Backlog, release-notes|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
I think the error handling of the SAML2 HTTP POST and Redirect bindings does not
In sections 3.4.6 and 3.5.6 of said specification, it is stated that:
"HTTP interactions during the message exchange MUST NOT use HTTP error
However, this is exactly what happens when an exception is thrown in the SAML2
Last tested with OpenSSO 8.0, but reading the latest sources I conclude there
|Comment by Peter Major [X] (Inactive) [ 27/Jun/12 ]|
We should also consider making the errorhandling more robust, so an IdPAdapter hook for example could trigger sending back a SAML response with non-success statuscode.
|Comment by Joe Starling [ 09/Apr/19 ]|
In many cases, the Internal Server Error can be avoided by ensuring proper configuration and testing the integration + various scenarios (accounts locked etc) thoroughly, but we do have situations which are not handled and will always give the error e.g.
when an IDP returns <Status> :
AM is aware of it in SAML2Constants, but it's never handled anywhere and just fails.