[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: Re: [OpenAM] Username is null on SAML2IdentityProviderAdapter
From: Francisco Rodriguez Corredor <francisco.r.corredor () juntadeandalucia ! es>
Date: 2018-09-17 12:52:41
Message-ID: b027621d-9f5b-81a3-5a9e-cf7eff97b334 () juntadeandalucia ! es
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi again,
months ago we used a SAML2IdentityProviderAdapter to register user
authentications on our OpenAMV10. Nowadays we have just noticed that the
preSendResponse method is not only invoked when users log because we're
registering spurious statistics loggin events. Here you can see our
preSendResponse method:
/ public boolean preSendResponse(AuthnRequest arg0, String arg1,
String arg2,//
// HttpServletRequest arg3, HttpServletResponse arg4, Object
arg5,//
// String arg6, String arg7) throws SAML2Exception {//
// // TODO Auto-generated method stub//
// String SPId = arg0.getIssuer().getValue();//
// String userID = "";//
// SSOToken ssotoken = (SSOToken) arg5;//
// try{//
// String universalIdentifier =
ssotoken.getProperty(Constants.UNIVERSAL_IDENTIFIER);//
// userID = universalIdentifier;//
// int commaIndex = userID.indexOf(",");//
// userID = userID.substring(3, commaIndex);//
// }//
// catch(Exception e){//
// e.printStackTrace();//
// }//
// StatisticThread stat = new StatisticThread(SPId, userID);//
// Thread statThread = new Thread(stat);//
// statThread.start();//
// return false;//
// }/
As I explained we're registering spurious duplicated items on the
statistics databases as you can see below:
*login_date timestamp_date version
userID SPId*
13/09/2018 10:21:55 1536826915033 1.0.0 user1.test
1536826915016 saml.autoservicio
13/09/2018 10:21:55 1536826915083 1.0.0 user1.test
1536826915064 saml.autoservicio
13/09/2018 10:21:55 1536826915114 1.0.0 user1.test
1536826915082 saml.autoservicio
13/09/2018 10:21:55 1536826915153 1.0.0 user1.test
1536826915109 saml.autoservicio
13/09/2018 10:21:55 1536826915177 1.0.0 user1.test
1536826915119 saml.autoservicio
13/09/2018 10:21:55 1536826915187 1.0.0 user1.test
1536826915123 saml.autoservicio
13/09/2018 10:21:55 1536826915191 1.0.0 user1.test
1536826915136 saml.autoservicio
13/09/2018 10:21:55 1536826915263 1.0.0 user1.test
1536826915149 saml.autoservicio
13/09/2018 10:21:55 1536826915269 1.0.0 user1.test
1536826915216 saml.autoservicio
13/09/2018 10:21:55 1536826915282 1.0.0 user1.test
1536826915237 saml.autoservicio
13/09/2018 10:21:55 1536826915303 1.0.0 user1.test
1536826915215 saml.autoservicio
13/09/2018 10:21:55 1536826915308 1.0.0 user1.test
1536826915212 saml.autoservicio
13/09/2018 10:21:55 1536826915329 1.0.0 user1.test
1536826915193 saml.autoservicio
13/09/2018 10:21:55 1536826915332 1.0.0 user1.test
1536826915192 saml.autoservicio
13/09/2018 10:21:55 1536826915355 1.0.0 user1.test
1536826915270 saml.autoservicio
13/09/2018 10:21:55 1536826915380 1.0.0 user1.test
1536826915280 saml.autoservicio
13/09/2018 10:21:55 1536826915410 1.0.0 user1.test
1536826915391 saml.autoservicio
13/09/2018 10:21:55 1536826915483 1.0.0 user1.test
1536826915135 saml.autoservicio
13/09/2018 10:21:56 1536826915548 1.0.0 user1.test
1536826915530 saml.autoservicio
13/09/2018 10:21:56 1536826915811 1.0.0 user1.test
1536826915793 saml.autoservicio
13/09/2018 10:21:56 1536826916238 1.0.0 user1.test
1536826916222 saml.autoservicio
13/09/2018 10:22:19 1536826938759 1.0.0 user1.test
1536826938740 saml.autoservicio
Any idea? Thanks in advance.
El 30/05/17 a las 23:53, Peter Major escribió:
> Actually, to retrieve the universal ID, the recommended method is to use:
> ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER)
>
> The session's principal can potentially correspond to the username that
> the user entered during login, and not necessarily to a universal ID
> that uniquely identifies an identity. The sessions's principal on its
> own may still require additional lookup steps (when user alias search
> attributes are in use for example), and it may not identify the user at
> all. If you want to retrieve an AMIdentity instance for example, this is
> why you should be using IdUtils#getIdentity with ssoToken as the parameter.
>
> cheers,
> Peter
>
> 2017. 05. 30. 11:27 keltezéssel, Andy Cory írta:
> > Hi Francisco
> >
> > You can get the ID of the user who authenticated using the SSOToken object \
> > mentioned by Péter using:
> > ssoToken.getPrincipal().getName()
> >
> > This should return something like \
> > “id=charlie,ou=user,o=employees,ou=services,dc=amconfig,dc=example,dc=com”. \
> > However, just be aware this might not be the value he used to authenticate – it’s \
> > the UUID of the in-memory identity subject of the authenticated user, that’s all \
> > – he might have authenticated with an email address, for example, depending on \
> > the authentication config of the OpenAM instance.
> > Andy
> >
> > On 25/05/2017, 12:44, "openam-bounces@forgerock.org on behalf of Peter Major" \
> > <openam-bounces@forgerock.org on behalf of peter.major@forgerock.com> wrote:
> > The preSendResponse is always called before an assertion is sent back,
> > yes. The session parameter should be always non null, and of type SSOToken.
> >
> > 23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:
> > > Hi Péter,
> > >
> > > so, the SAML2IdentityProviderAdapter is always invoked whent a
> > > correct authentication is made? Is the arg5 argument always going to be
> > > not null? Do I have to check it?
> > >
> > > Thanks in advance
> > >
> > >
> > > El 11/05/17 a las 23:16, Major Péter escribió:
> > > > You really shouldn't use httpservletrequest as a way to retrieve the
> > > > username. There is absolutely no guarantee that the request will still
> > > > contain the username.
> > > > You should look at arg5 (Object session) argument and retrieve the
> > > > universal ID from there.
> > > >
> > > > cheers,
> > > > Peter
> > > >
> > > > 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
> > > > > Hi all,
> > > > >
> > > > > I have implemented a SAML2IdentityProviderAdapter on my openAM
> > > > > Server to get information about the SP and user who have made a SSO
> > > > > request. After that, my SAML2IdentityProviderAdapter registers collected
> > > > > data into a database in order to have basic statistics about my system.
> > > > > I get the username and the SP identificator as it's shown in below code:
> > > > >
> > > > > public boolean preSendResponse(AuthnRequest arg0, String arg1,
> > > > > String arg2,
> > > > > HttpServletRequest arg3, HttpServletResponse arg4,
> > > > > Object arg5,
> > > > > String arg6, String arg7) throws SAML2Exception {
> > > > > // TODO Auto-generated method stub
> > > > > *String **SPId**= arg0.getIssuer().getValue();**
> > > > > ** String userID = arg3.getParameter("IDToken1");*
> > > > > StatisticThread stat = new StatisticThread(SPId, userID);
> > > > > Thread statThread = new Thread(stat);
> > > > > statThread.start();
> > > > > return false;
> > > > > }
> > > > >
> > > > > The problem is that I haved found that in several situations the
> > > > > userID is get as "Null", is there any explanation? What am I doing
> > > > > wrong?
> > > > >
> > > > > Thanks in advance.
> > >
> > >
> > _______________________________________________
> > Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> > OpenAM mailing list
> > OpenAM@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openam
> >
> >
> >
> >
> >
> >
> > This email has been scanned for all viruses.
> >
> > Please consider the environment before printing this email.
> >
> > The content of this email and any attachment is private and may be privileged. If \
> > you are not the intended recipient, any use, disclosure, copying or forwarding of \
> > this email and/or its attachments is unauthorised. If you have received this \
> > email in error please notify the sender by email and delete this message and any \
> > attachments immediately. Nothing in this email shall bind the Company or any of \
> > its subsidiaries or businesses in any contract or obligation, unless we have \
> > specifically agreed to be bound.
> > KCOM Group PLC is a public limited company incorporated in England and Wales, \
> > company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 \
> > 3RE.
> > _______________________________________________
> > Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> > OpenAM mailing list
> > OpenAM@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openam
> >
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> OpenAM@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi again,<br>
<br>
months ago we used a SAML2IdentityProviderAdapter to register
user authentications on our OpenAMV10. Nowadays we have just
noticed that the preSendResponse method is not only invoked when
users log because we're registering spurious statistics loggin
events. Here you can see our preSendResponse method:<br>
<br>
<i> public boolean preSendResponse(AuthnRequest arg0, String
arg1, String arg2,</i><i><br>
</i><i> HttpServletRequest arg3, HttpServletResponse
arg4, Object arg5,</i><i><br>
</i><i> String arg6, String arg7) throws SAML2Exception
{</i><i><br>
</i><i> // TODO Auto-generated method stub</i><i><br>
</i><i> String SPId = arg0.getIssuer().getValue();</i><i><br>
</i><i> String userID = "";</i><i><br>
</i><i> SSOToken ssotoken = (SSOToken) arg5;</i><i><br>
</i><i> try{</i><i><br>
</i><i> String universalIdentifier =
ssotoken.getProperty(Constants.UNIVERSAL_IDENTIFIER);</i><i><br>
</i><i> userID = universalIdentifier;</i><i><br>
</i><i> int commaIndex = userID.indexOf(",");</i><i><br>
</i><i> userID = userID.substring(3, commaIndex);</i><i><br>
</i><i> }</i><i><br>
</i><i> catch(Exception e){</i><i><br>
</i><i> e.printStackTrace();</i><i><br>
</i><i> }</i><i><br>
</i><i> StatisticThread stat = new StatisticThread(SPId,
userID);</i><i><br>
</i><i> Thread statThread = new Thread(stat);</i><i><br>
</i><i> statThread.start();</i><i><br>
</i><i> return false;</i><i><br>
</i><i> }</i><br>
<br>
As I explained we're registering spurious duplicated items on
the statistics databases as you can see below:<br>
<blockquote><b>login_date timestamp_date version
userID SPId</b><br>
13/09/2018 10:21:55 1536826915033 1.0.0 user1.test
1536826915016 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915083 1.0.0
user1.test 1536826915064 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915114 1.0.0
user1.test 1536826915082 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915153 1.0.0
user1.test 1536826915109 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915177 1.0.0
user1.test 1536826915119 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915187 1.0.0
user1.test 1536826915123 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915191 1.0.0
user1.test 1536826915136 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915263 1.0.0
user1.test 1536826915149 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915269 1.0.0
user1.test 1536826915216 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915282 1.0.0
user1.test 1536826915237 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915303 1.0.0
user1.test 1536826915215 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915308 1.0.0
user1.test 1536826915212 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915329 1.0.0
user1.test 1536826915193 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915332 1.0.0
user1.test 1536826915192 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915355 1.0.0
user1.test 1536826915270 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915380 1.0.0
user1.test 1536826915280 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915410 1.0.0
user1.test 1536826915391 saml.autoservicio<br>
13/09/2018 10:21:55 1536826915483 1.0.0
user1.test 1536826915135 saml.autoservicio<br>
13/09/2018 10:21:56 1536826915548 1.0.0
user1.test 1536826915530 saml.autoservicio<br>
13/09/2018 10:21:56 1536826915811 1.0.0
user1.test 1536826915793 saml.autoservicio<br>
13/09/2018 10:21:56 1536826916238 1.0.0
user1.test 1536826916222 saml.autoservicio<br>
13/09/2018 10:22:19 1536826938759 1.0.0
user1.test 1536826938740 saml.autoservicio<br>
</blockquote>
<br>
<br>
Any idea? Thanks in advance.<br>
<br>
<br>
<br>
El 30/05/17 a las 23:53, Peter Major escribió:<br>
</div>
<blockquote type="cite"
cite="mid:e314fbc7-1d10-6cad-28b9-63a5d47d5fdf@forgerock.com">
<pre wrap="">Actually, to retrieve the universal ID, the recommended method is \
to use: ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER)
The session's principal can potentially correspond to the username that
the user entered during login, and not necessarily to a universal ID
that uniquely identifies an identity. The sessions's principal on its
own may still require additional lookup steps (when user alias search
attributes are in use for example), and it may not identify the user at
all. If you want to retrieve an AMIdentity instance for example, this is
why you should be using IdUtils#getIdentity with ssoToken as the parameter.
cheers,
Peter
2017. 05. 30. 11:27 keltezéssel, Andy Cory írta:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Francisco
You can get the ID of the user who authenticated using the SSOToken object mentioned \
by Péter using:
ssoToken.getPrincipal().getName()
This should return something like \
“id=charlie,ou=user,o=employees,ou=services,dc=amconfig,dc=example,dc=com”. However, \
just be aware this might not be the value he used to authenticate – it’s the UUID of \
the in-memory identity subject of the authenticated user, that’s all – he might have \
authenticated with an email address, for example, depending on the authentication \
config of the OpenAM instance.
Andy
On 25/05/2017, 12:44, <a class="moz-txt-link-rfc2396E" \
href="mailto:openam-bounces@forgerock.orgonbehalfofPeterMajor">"openam-bounces@forgerock.org \
on behalf of Peter Major"</a> <a class="moz-txt-link-rfc2396E" \
href="mailto:openam-bounces@forgerock.orgonbehalfofpeter.major@forgerock.com"><openam-bounces@forgerock.org \
on behalf of peter.major@forgerock.com></a> wrote:
The preSendResponse is always called before an assertion is sent back,
yes. The session parameter should be always non null, and of type SSOToken.
23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:
> Hi Péter,
>
> so, the SAML2IdentityProviderAdapter is always invoked whent a
> correct authentication is made? Is the arg5 argument always going to be
> not null? Do I have to check it?
>
> Thanks in advance
>
>
> El 11/05/17 a las 23:16, Major Péter escribió:
>> You really shouldn't use httpservletrequest as a way to retrieve the
>> username. There is absolutely no guarantee that the request will still
>> contain the username.
>> You should look at arg5 (Object session) argument and retrieve the
>> universal ID from there.
>>
>> cheers,
>> Peter
>>
>> 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
>>> Hi all,
>>>
>>> I have implemented a SAML2IdentityProviderAdapter on my openAM
>>> Server to get information about the SP and user who have made a SSO
>>> request. After that, my SAML2IdentityProviderAdapter registers \
collected >>> data into a database in order to have basic statistics about \
my system. >>> I get the username and the SP identificator as it's shown in \
below code: >>>
>>> public boolean preSendResponse(AuthnRequest arg0, String arg1,
>>> String arg2,
>>> HttpServletRequest arg3, HttpServletResponse arg4,
>>> Object arg5,
>>> String arg6, String arg7) throws SAML2Exception {
>>> // TODO Auto-generated method stub
>>> *String **SPId**= arg0.getIssuer().getValue();**
>>> ** String userID = arg3.getParameter("IDToken1");*
>>> StatisticThread stat = new StatisticThread(SPId, userID);
>>> Thread statThread = new Thread(stat);
>>> statThread.start();
>>> return false;
>>> }
>>>
>>> The problem is that I haved found that in several situations \
the >>> userID is get as "Null", is there any explanation? What am I doing
>>> wrong?
>>>
>>> Thanks in advance.
>
>
_______________________________________________
Visit the OpenAM forum at <a class="moz-txt-link-freetext" \
href="https://forgerock.org/forum/fr-projects/openam/">https://forgerock.org/forum/fr-projects/openam/</a>
OpenAM mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:OpenAM@forgerock.org">OpenAM@forgerock.org</a> <a \
class="moz-txt-link-freetext" \
href="https://lists.forgerock.org/mailman/listinfo/openam">https://lists.forgerock.org/mailman/listinfo/openam</a>
This email has been scanned for all viruses.
Please consider the environment before printing this email.
The content of this email and any attachment is private and may be privileged. If you \
are not the intended recipient, any use, disclosure, copying or forwarding of this \
email and/or its attachments is unauthorised. If you have received this email in \
error please notify the sender by email and delete this message and any attachments \
immediately. Nothing in this email shall bind the Company or any of its subsidiaries \
or businesses in any contract or obligation, unless we have specifically agreed to be \
bound.
KCOM Group PLC is a public limited company incorporated in England and Wales, company \
number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.
_______________________________________________
Visit the OpenAM forum at <a class="moz-txt-link-freetext" \
href="https://forgerock.org/forum/fr-projects/openam/">https://forgerock.org/forum/fr-projects/openam/</a>
OpenAM mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:OpenAM@forgerock.org">OpenAM@forgerock.org</a> <a \
class="moz-txt-link-freetext" \
href="https://lists.forgerock.org/mailman/listinfo/openam">https://lists.forgerock.org/mailman/listinfo/openam</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Visit the OpenAM forum at <a class="moz-txt-link-freetext" \
href="https://forgerock.org/forum/fr-projects/openam/">https://forgerock.org/forum/fr-projects/openam/</a>
OpenAM mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:OpenAM@forgerock.org">OpenAM@forgerock.org</a> <a \
class="moz-txt-link-freetext" \
href="https://lists.forgerock.org/mailman/listinfo/openam">https://lists.forgerock.org/mailman/listinfo/openam</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>
["francisco_r_corredor.vcf" (text/x-vcard)]
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
OpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic