[OPENAM-8199] Resource based authentication does not work with more than one environment condition Created: 26/Jan/16  Updated: 20/Nov/16  Resolved: 30/Mar/16

Status: Resolved
Project: OpenAM
Component/s: authentication, policy
Affects Version/s: 12.0.2, 13.0.0
Fix Version/s: 12.0.4, 13.5.0

Type: Bug Priority: Major
Reporter: Joe Starling Assignee: Jonathan Thomas
Resolution: Fixed Votes: 0
Labels: 13.0.1-Candidate, EDISON
Remaining Estimate: 0h
Time Spent: 10h
Original Estimate: 0h

Issue Links:
relates to OPENAM-8637 Allow resource based authentication t... Closed
is related to OPENAM-5451 Resource based authentication does no... Resolved
Target Version/s:
Rank: 1|hzl5cf:
Sprint: AM Sustaining Sprint 19, AM Sustaining Sprint 20
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:


To reproduce:

  • Install OpenAM 12.0.2
  • Disable XUI (this step is not required for testing in 13)
  • Install Agent
  • Configure Agent profile Login URL as http://openam.example.com:48080/openam/UI/Login?resource=true
  • Change the Auth Level of more than one module to something specific, say LDAP module and DataStore module to Authentication Level 3
  • Create a Policy with environment condition 'Authentication Level (greater than or equal to) 3'

When accessing the resource without any previous session, I would expect to be presented a choice between all modules with Authentication Level 3 or higher, in this case LDAP and DataStore.

Instead, I see the default ldapService chain first. Only after authenticating there, do I see the choice of module.

I should mention that if the user is previously authenticated and hits this protected resource in a session upgrade scenario, the correct behaviour is seen: no default module, straight to choice screen.

Comment by Peter Major [X] (Inactive) [ 10/Feb/16 ]

Need more background info for triage.

Comment by Joe Starling [ 11/Feb/16 ]

Say we have 3 resources with differing access levels.

Access 1st resource -
Policy Condition: Authenticate to Certificate Module OR Auth Level >= 1
(Cert module has Auth level 1)

Access 2nd resource -
Policy Condition: Authenticate to DataStore Module OR Auth Level >= 2
(Data Store module has Auth level 2)

Access 3rd resource:
We want to be presented with a choice between 2 modules, both with Auth level 3.
Policy Condition: Must have Auth Level >=3
(Two other discrete modules configured with Auth Level 3)

Normally with resource=true defined in the login URL, this shows a choice page; 2 radio buttons to select the preferred module.

Have tested with 11.0.3 and it works fine.
12.0.2 always sees the default ldapService chain first (If XUI is enabled, it enters a loop due to another bug), and then the choice once authenticated.

Comment by Peter Major [X] (Inactive) [ 21/Mar/16 ]

Jonathan Thomas should we fix this for 14.0.0 as well?

Comment by Jonathan Thomas [ 21/Mar/16 ]

Will correct version - it was put on master.

Comment by Jonathan Thomas [ 30/Mar/16 ]

Have created OPENAM-8637 and OPENAM-8638 to follow on from this to allow realm based policy evaluation, but resource-based auth should display multiple module page with this fix.

Comment by Filip Kubáň [X] (Inactive) [ 26/Sep/16 ]

Verified on: OpenAM 12.0.4-RC5 Build 8f3551671e (2016-September-19 17:53)

Generated at Sat Mar 06 16:55:55 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.