SAML federation in different realm

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML federation in different realm

BAUCHE, VALERIE

Hi

 

In former versions of OpenAM I was able to do the following :

-          Log in in realm “/INTERNET”

-          Start a SAML federation using idpssoinit in realm   “/INTERNET/FED“

 

Now I’m using OpenAM 12.0.3 and it does not work anymore :

WARNING: IDPSSOUtil.isValidSessionInRealm: Invalid realm for the session:/INTERNET, while the realm of the IdP is:/INTERNET/FED

 

Can anybody explain why this realm verification has been added ? Is it possible to get around it ?

 

 

Valérie

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML federation in different realm

Peter Major
https://backstage.forgerock.com/#!/knowledge/kb/article/a68358392
Tracked under #201505-02.

Sounds like you have a funny setup in your environmemnt. The purpose of
the realm is to separate distinct user sets. If you have a user in realm
/internet/fed, how could you be certain that the attributes necessary
for your IdP in /internet will be always actually available?
You should define the IdP in the same realm as the users or you should
have a single realm in the first place since your user sets in /internet
and /internet/fed appears to be the same.

cheers,
Peter

2016. 10. 17. 13:33 keltezéssel, BAUCHE, VALERIE írta:

> Hi
>
>
>
> In former versions of OpenAM I was able to do the following :
>
> -          Log in in realm “/INTERNET”
>
> -          Start a SAML federation using idpssoinit in realm
>   “/INTERNET/FED“
>
>
>
> Now I’m using OpenAM 12.0.3 and it does not work anymore :
>
> WARNING: IDPSSOUtil.isValidSessionInRealm: Invalid realm for the
> session:/INTERNET, while the realm of the IdP is:/INTERNET/FED
>
>
>
> Can anybody explain why this realm verification has been added ? Is it
> possible to get around it ?
>
>
>
>
>
> Valérie
>
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: SAML federation in different realm

Jari Ahonen
In reply to this post by BAUCHE, VALERIE

Hi,

 

Peter already answered why later OpenAM versions behave differently than old ones but if your current setup depends on the old behaviour you can get around it by adding your own logic into IDPSSOUtil.isValidSessionInRealm().

 

- Jari

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of BAUCHE, VALERIE
Sent: Monday, October 17, 2016 2:34 PM
To: Users <[hidden email]>
Subject: [OpenAM] SAML federation in different realm

 

Hi

 

In former versions of OpenAM I was able to do the following :

-        Log in in realm “/INTERNET”

-        Start a SAML federation using idpssoinit in realm   “/INTERNET/FED“

 

Now I’m using OpenAM 12.0.3 and it does not work anymore :

WARNING: IDPSSOUtil.isValidSessionInRealm: Invalid realm for the session:/INTERNET, while the realm of the IdP is:/INTERNET/FED

 

Can anybody explain why this realm verification has been added ? Is it possible to get around it ?

 

 

Valérie

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam