[OPENAM-71] SAML2 error handling in HTTP POST and Redirect bindings Created: 23/Apr/10  Updated: 15/Apr/19

Status: Open
Project: OpenAM
Component/s: SAML
Affects Version/s: 9.5.5, 10.0.1, 10.1.0-Xpress, 11.0.0, 13.0.0, 13.5.0, 6.5.0, 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: patrick.peck Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: AME, Backlog, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by OPENAM-14430 SAML errors generate HTTP 500 Interna... Resolved
Relates
relates to OPENAM-13045 SAML2 IDP initiated SSO with HTTP-POS... Open
Support Ticket IDs:

 Description   

I think the error handling of the SAML2 HTTP POST and Redirect bindings does not
conform to the rules set in the SAML2 bindings specification.

In sections 3.4.6 and 3.5.6 of said specification, it is stated that:

"HTTP interactions during the message exchange MUST NOT use HTTP error
status codes to indicate failures in SAML processing, since the user
agent is not a full party to the SAML protocol exchange."

However, this is exactly what happens when an exception is thrown in the SAML2
stack of OpenAM - an HTTP error is returned to the browser, and user interaction
stops there instead of returning to the service provider.

Last tested with OpenSSO 8.0, but reading the latest sources I conclude there
has been no change w.r.t. the behaviour described above.



 Comments   
Comment by Peter Major [X] (Inactive) [ 27/Jun/12 ]

We should also consider making the errorhandling more robust, so an IdPAdapter hook for example could trigger sending back a SAML response with non-success statuscode.

Comment by Joe Starling [ 09/Apr/19 ]

In many cases, the Internal Server Error can be avoided by ensuring proper configuration and testing the integration + various scenarios (accounts locked etc) thoroughly, but we do have situations which are not handled and will always give the error e.g.

when an IDP returns <Status> :

urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

AM is aware of it in SAML2Constants, but it's never handled anywhere and just fails.

Generated at Sat Oct 31 00:46:46 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.