SAML2Exception: Multiple matching users found

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SAML2Exception: Multiple matching users found

jasoninmel
This post has NOT been accepted by the mailing list yet.
Hi there,

I have configured OpenAM as SP and using SAML for federation. I have also enabled auto-federation and used a custom account mapper to create the account locally if user not found. However, I'm seeing smaller number of users with duplicate saml2-nameid-infokey which make the login fail for those users.

Further investigation into this has confirmed it is not the custom account mapper causing this as it search for user immediately before adding.

Please note this is not a race condition as my recent analysis shows the duplicate UUIDs are created even after several days apart from the original account.

Based on my findings, this is what I believe is happening.

User created for the first time in LDAP with a UUID
A subsequent federated authentication request received by OpenAM (can be seconds, minutes of days later) result in creation of new UUID and attempt to authenticate resulting following error;

{code}
libPlugins:04/01/2017 11:36:55:642 PM EST: Thread[http-apr-8082-exec-245,5,main]
ERROR: IdRepoDataStoreProvider.getAttribute(1): IdRepo exception
Message:Illegal universal identifier fcd3cb9a-6b4b-4275-a2db-58089a37b1c9.

        at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:292)
        at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:271)
        at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.getAttribute(IdRepoDataStoreProvider.java:116)
        at com.sun.identity.saml2.common.AccountUtils.getAccountFederation(AccountUtils.java:100)
        at com.sun.identity.saml2.common.SAML2Utils.isFedInfoExists(SAML2Utils.java:1062)
        at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1272)
               
libSAML2:04/01/2017 11:36:55:643 PM EST: Thread[http-apr-8082-exec-245,5,main]
ERROR: AccountUtils.readAccountFederationInfo: DataStoreProviderException
com.sun.identity.plugin.datastore.DataStoreProviderException: Illegal universal identifier fcd3cb9a-6b4b-4275-a2db-58089a37b1c9.
        at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.getAttribute(IdRepoDataStoreProvider.java:125)
        at com.sun.identity.saml2.common.AccountUtils.getAccountFederation(AccountUtils.java:100)
        at com.sun.identity.saml2.common.SAML2Utils.isFedInfoExists(SAML2Utils.java:1062)
        at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1272)
               
libSAML2:04/01/2017 11:36:55:643 PM EST: Thread[http-apr-8082-exec-245,5,main]
ERROR: Failed to get DataStoreProvider com.sun.identity.saml2.common.SAML2Exception: Illegal universal identifier fcd3cb9a-6b4b-4275-a2db-58089a37b1c9.
libPlugins:04/02/2017 12:14:42:535 AM EST: Thread[http-apr-8082-exec-287,5,main]
ERROR: IdRepoDataStoreProvider.getAttribute(1): IdRepo exception
Message:Illegal universal identifier 67220562-a19d-4159-878a-627d54d3fb7b.

        at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:292)
        at com.sun.identity.idm.IdUtils.getIdentity(IdUtils.java:271)
        at com.sun.identity.plugin.datastore.impl.IdRepoDataStoreProvider.getAttribute(IdRepoDataStoreProvider.java:116)
        at com.sun.identity.saml2.common.AccountUtils.getAccountFederation(AccountUtils.java:100)
        at com.sun.identity.saml2.common.SAML2Utils.isFedInfoExists(SAML2Utils.java:1062)
        at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1272)

{code}

However the LDAP log file shows this UUID has been added successfully (LDAP search using mail returns both accounts)

Is this a known bug in OpenAM SAML federation?

Thanks,
jason