[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam-dev
Subject: [OpenAM-dev] Session Failover - NameId is null in IdpSessionCopy object
From: jtruong () 2keys ! ca (Jimmy Truong)
Date: 2012-06-14 20:18:10
Message-ID: 70f2124c-495c-4b7b-9e0c-67b4398726c5 () mail ! 2keys ! ca
[Download RAW message or body]
When an assertion is generated, and SAML2 Failover is enabled, the IDPSession is \
written to the DB. It has been verified that the NameIDandSPpair objects that are \
retrieved from the IDPSession (before saving to the db) contain both the SPEntityID \
and the corresponding NameID objects (with the correct NameID values). However, when \
a SOAP LogoutRequest is sent from an SP, often the load balancer will route the \
request to an IDP that didn't perform the initial authentication. In cases where \
multiple SPs need to be logged out, SLO fails because the IDPSession that is \
retrieved from the database does not contain the NameID values.
The following code was executed (in IDPSSOUtil) to verify that the NameID values are \
not being written/retrieved properly.
SAML2Repository.getInstance().save(sessionIndex,
new IDPSessionCopy(idpSession), sessionExpireTime, null);
IDPSessionCopy idpSessionCopy = null;
idpSessionCopy = (IDPSessionCopy) \
SAML2Repository.getInstance().retrieve(sessionIndex); if (idpSessionCopy != null) { \
if (SAML2Utils.debug.messageEnabled()) {
\
SAML2Utils.debug.message("IDPSingleLogout.processLogoutRequest: Found idpSession in \
DB.");
SAML2Utils.debug.message("Session COPY has values: ");
for (Object nidPair : idpSessionCopy.getNameIDandSPpairs()) { \
NameIDandSPpair np = (NameIDandSPpair) nidPair;
SAML2Utils.debug.message("sp=" + np.getSPEntityID() + " \
nidval=" + np.getNameID().getValue()); }
}
}
When this code executes, the SP values are correct, but getValue() for the NameID \
always returns null.
Jimmy Truong
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic