Default Project CR-8194

OPENAM-3381 SAML login is not handled correctly on the SP if the user already has a local session on...

Closed on 15 Sep 15

  • Author & Moderator
  • Reviewers
    • Reviewer completed
    • Reviewer completed
    • Reviewer completed

CR-8194 4

Keyboard shortcuts  
Summarize the review outcomes (optional)


Warning: no files are visible, they have all been filtered.
Participant Role Time Spent Comments Latest Comment
Author & Moderator 8m 1 by this time the SAML response has been verified already ...
Neil Madden (deleted user)
Reviewer completed
Reviewer - Complete 5m 2 OK, seems reasonable then.
Reviewer - Complete 4m    
Reviewer - Complete 10m 1 LGTM
Total   27m 4  


When having a valid active session with the hosted SP instance, receiving an assertion without mapped account may mean that the session's principal gets automagically mapped to the federated user. This may not be always preferred.

As it turned out this was probably implemented like this to deal with the local authentication scenario:

  • accountmapper and nameid-info attrs in data store gives back null as username
  • SPACSUtils throws noUserMapping SAML2Exception
  • spAssertionConsumer.jsp catches the exception and prepares for local authentication (with a crafted goto)
  • the user authenticates locally
  • gets redirected back to the SAML flow, but this time with a valid session
  • the accountmapper still gives null back, but now there is a session, so let's take the username from there

The corresponding logic has been amended so that now we look at the session's principal only after the user was redirected away to the local login url. The existing session will get invalidated as well (similarly to the case, when the account mapper returns "bob", but session has "alice", in that case FMSessionProvider invalidates the old session (as the principals are different), and carries on creating a new session for bob).


Issues Raised From Comments

Key Summary State Assignee

General Comments

14 Sep 15

Ken Stubbings says:


/a/openam/.../saml2/profile/ Changed
Open in IDE #permalink
/a/openam/.../saml2/profile/ Changed 3
Open in IDE #permalink

Review updated: Reload | Ignore | Collapse

You cannot reload the review while writing a comment.

Create Issue

Assign To Me

Log time against