Username is null on SAML2IdentityProviderAdapter

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Username is null on SAML2IdentityProviderAdapter

Francisco Rodriguez Corredor

Hi all,

    I have implemented a SAML2IdentityProviderAdapter on my openAM Server to get information about the SP and user who have made a SSO request. After that, my SAML2IdentityProviderAdapter registers collected data into a database in order to have basic statistics about my system. I get the username and the SP identificator as it's shown in below code:

    public boolean preSendResponse(AuthnRequest arg0, String arg1, String arg2,
            HttpServletRequest arg3, HttpServletResponse arg4, Object arg5,
            String arg6, String arg7) throws SAML2Exception {
        // TODO Auto-generated method stub
        String SPId = arg0.getIssuer().getValue();
        String userID = arg3.getParameter("IDToken1");
          StatisticThread stat = new StatisticThread(SPId, userID);
          Thread statThread = new Thread(stat);
          statThread.start();
        return false;
    }

    The problem is that I haved found that in several situations the userID is get as "Null", is there any explanation? What am I doing wrong?

    Thanks in advance.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

francisco_r_corredor.vcf (457 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Username is null on SAML2IdentityProviderAdapter

Peter Major
The preSendResponse is always called before an assertion is sent back,
yes. The session parameter should be always non null, and of type SSOToken.

23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:

> Hi Péter,
>
>      so, the SAML2IdentityProviderAdapter is always invoked whent a
> correct authentication is made? Is the arg5 argument always going to be
> not null? Do I have to check it?
>
>      Thanks in advance
>
>
> El 11/05/17 a las 23:16, Major Péter escribió:
>> You really shouldn't use httpservletrequest as a way to retrieve the
>> username. There is absolutely no guarantee that the request will still
>> contain the username.
>> You should look at arg5 (Object session) argument and retrieve the
>> universal ID from there.
>>
>> cheers,
>> Peter
>>
>> 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
>>> Hi all,
>>>
>>>      I have implemented a SAML2IdentityProviderAdapter on my openAM
>>> Server to get information about the SP and user who have made a SSO
>>> request. After that, my SAML2IdentityProviderAdapter registers collected
>>> data into a database in order to have basic statistics about my system.
>>> I get the username and the SP identificator as it's shown in below code:
>>>
>>>      public boolean preSendResponse(AuthnRequest arg0, String arg1,
>>> String arg2,
>>>              HttpServletRequest arg3, HttpServletResponse arg4,
>>> Object arg5,
>>>              String arg6, String arg7) throws SAML2Exception {
>>>          // TODO Auto-generated method stub
>>>          *String **SPId**= arg0.getIssuer().getValue();**
>>> **        String userID = arg3.getParameter("IDToken1");*
>>>            StatisticThread stat = new StatisticThread(SPId, userID);
>>>            Thread statThread = new Thread(stat);
>>>            statThread.start();
>>>          return false;
>>>      }
>>>
>>>      The problem is that I haved found that in several situations the
>>> userID is get as "Null", is there any explanation? What am I doing
>>> wrong?
>>>
>>>      Thanks in advance.
>
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Username is null on SAML2IdentityProviderAdapter

Andy Cory-2
Hi Francisco

You can get the ID of the user who authenticated using the SSOToken object mentioned by Péter using:

ssoToken.getPrincipal().getName()

This should return something like “id=charlie,ou=user,o=employees,ou=services,dc=amconfig,dc=example,dc=com”. However, just be aware this might not be the value he used to authenticate – it’s the UUID of the in-memory identity subject of the authenticated user, that’s all – he might have authenticated with an email address, for example, depending on the authentication config of the OpenAM instance.

Andy

On 25/05/2017, 12:44, "[hidden email] on behalf of Peter Major" <[hidden email] on behalf of [hidden email]> wrote:

    The preSendResponse is always called before an assertion is sent back,
    yes. The session parameter should be always non null, and of type SSOToken.

    23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:
    > Hi Péter,
    >
    >      so, the SAML2IdentityProviderAdapter is always invoked whent a
    > correct authentication is made? Is the arg5 argument always going to be
    > not null? Do I have to check it?
    >
    >      Thanks in advance
    >
    >
    > El 11/05/17 a las 23:16, Major Péter escribió:
    >> You really shouldn't use httpservletrequest as a way to retrieve the
    >> username. There is absolutely no guarantee that the request will still
    >> contain the username.
    >> You should look at arg5 (Object session) argument and retrieve the
    >> universal ID from there.
    >>
    >> cheers,
    >> Peter
    >>
    >> 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
    >>> Hi all,
    >>>
    >>>      I have implemented a SAML2IdentityProviderAdapter on my openAM
    >>> Server to get information about the SP and user who have made a SSO
    >>> request. After that, my SAML2IdentityProviderAdapter registers collected
    >>> data into a database in order to have basic statistics about my system.
    >>> I get the username and the SP identificator as it's shown in below code:
    >>>
    >>>      public boolean preSendResponse(AuthnRequest arg0, String arg1,
    >>> String arg2,
    >>>              HttpServletRequest arg3, HttpServletResponse arg4,
    >>> Object arg5,
    >>>              String arg6, String arg7) throws SAML2Exception {
    >>>          // TODO Auto-generated method stub
    >>>          *String **SPId**= arg0.getIssuer().getValue();**
    >>> **        String userID = arg3.getParameter("IDToken1");*
    >>>            StatisticThread stat = new StatisticThread(SPId, userID);
    >>>            Thread statThread = new Thread(stat);
    >>>            statThread.start();
    >>>          return false;
    >>>      }
    >>>
    >>>      The problem is that I haved found that in several situations the
    >>> userID is get as "Null", is there any explanation? What am I doing
    >>> wrong?
    >>>
    >>>      Thanks in advance.
    >
    >
    _______________________________________________
    Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    OpenAM mailing list
    [hidden email]
    https://lists.forgerock.org/mailman/listinfo/openam






This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Username is null on SAML2IdentityProviderAdapter

Peter Major
Actually, to retrieve the universal ID, the recommended method is to use:
ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER)

The session's principal can potentially correspond to the username that
the user entered during login, and not necessarily to a universal ID
that uniquely identifies an identity. The sessions's principal on its
own may still require additional lookup steps (when user alias search
attributes are in use for example), and it may not identify the user at
all. If you want to retrieve an AMIdentity instance for example, this is
why you should be using IdUtils#getIdentity with ssoToken as the parameter.

cheers,
Peter

2017. 05. 30. 11:27 keltezéssel, Andy Cory írta:

> Hi Francisco
>
> You can get the ID of the user who authenticated using the SSOToken object mentioned by Péter using:
>
> ssoToken.getPrincipal().getName()
>
> This should return something like “id=charlie,ou=user,o=employees,ou=services,dc=amconfig,dc=example,dc=com”. However, just be aware this might not be the value he used to authenticate – it’s the UUID of the in-memory identity subject of the authenticated user, that’s all – he might have authenticated with an email address, for example, depending on the authentication config of the OpenAM instance.
>
> Andy
>
> On 25/05/2017, 12:44, "[hidden email] on behalf of Peter Major" <[hidden email] on behalf of [hidden email]> wrote:
>
>     The preSendResponse is always called before an assertion is sent back,
>     yes. The session parameter should be always non null, and of type SSOToken.
>
>     23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:
>     > Hi Péter,
>     >
>     >      so, the SAML2IdentityProviderAdapter is always invoked whent a
>     > correct authentication is made? Is the arg5 argument always going to be
>     > not null? Do I have to check it?
>     >
>     >      Thanks in advance
>     >
>     >
>     > El 11/05/17 a las 23:16, Major Péter escribió:
>     >> You really shouldn't use httpservletrequest as a way to retrieve the
>     >> username. There is absolutely no guarantee that the request will still
>     >> contain the username.
>     >> You should look at arg5 (Object session) argument and retrieve the
>     >> universal ID from there.
>     >>
>     >> cheers,
>     >> Peter
>     >>
>     >> 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
>     >>> Hi all,
>     >>>
>     >>>      I have implemented a SAML2IdentityProviderAdapter on my openAM
>     >>> Server to get information about the SP and user who have made a SSO
>     >>> request. After that, my SAML2IdentityProviderAdapter registers collected
>     >>> data into a database in order to have basic statistics about my system.
>     >>> I get the username and the SP identificator as it's shown in below code:
>     >>>
>     >>>      public boolean preSendResponse(AuthnRequest arg0, String arg1,
>     >>> String arg2,
>     >>>              HttpServletRequest arg3, HttpServletResponse arg4,
>     >>> Object arg5,
>     >>>              String arg6, String arg7) throws SAML2Exception {
>     >>>          // TODO Auto-generated method stub
>     >>>          *String **SPId**= arg0.getIssuer().getValue();**
>     >>> **        String userID = arg3.getParameter("IDToken1");*
>     >>>            StatisticThread stat = new StatisticThread(SPId, userID);
>     >>>            Thread statThread = new Thread(stat);
>     >>>            statThread.start();
>     >>>          return false;
>     >>>      }
>     >>>
>     >>>      The problem is that I haved found that in several situations the
>     >>> userID is get as "Null", is there any explanation? What am I doing
>     >>> wrong?
>     >>>
>     >>>      Thanks in advance.
>     >
>     >
>     _______________________________________________
>     Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email]
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
>
>
> This email has been scanned for all viruses.
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.
>
> KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Username is null on SAML2IdentityProviderAdapter

Andy Cory-2
Thanks Peter, that’s really useful additional info.

On 30/05/2017, 22:53, "[hidden email] on behalf of Peter Major" <[hidden email] on behalf of [hidden email]> wrote:

    Actually, to retrieve the universal ID, the recommended method is to use:
    ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER)

    The session's principal can potentially correspond to the username that
    the user entered during login, and not necessarily to a universal ID
    that uniquely identifies an identity. The sessions's principal on its
    own may still require additional lookup steps (when user alias search
    attributes are in use for example), and it may not identify the user at
    all. If you want to retrieve an AMIdentity instance for example, this is
    why you should be using IdUtils#getIdentity with ssoToken as the parameter.

    cheers,
    Peter

    2017. 05. 30. 11:27 keltezéssel, Andy Cory írta:
    > Hi Francisco
    >
    > You can get the ID of the user who authenticated using the SSOToken object mentioned by Péter using:
    >
    > ssoToken.getPrincipal().getName()
    >
    > This should return something like “id=charlie,ou=user,o=employees,ou=services,dc=amconfig,dc=example,dc=com”. However, just be aware this might not be the value he used to authenticate – it’s the UUID of the in-memory identity subject of the authenticated user, that’s all – he might have authenticated with an email address, for example, depending on the authentication config of the OpenAM instance.
    >
    > Andy
    >
    > On 25/05/2017, 12:44, "[hidden email] on behalf of Peter Major" <[hidden email] on behalf of [hidden email]> wrote:
    >
    >     The preSendResponse is always called before an assertion is sent back,
    >     yes. The session parameter should be always non null, and of type SSOToken.
    >
    >     23/05/2017 08:24 keltezéssel, Francisco Rodriguez Corredor írta:
    >     > Hi Péter,
    >     >
    >     >      so, the SAML2IdentityProviderAdapter is always invoked whent a
    >     > correct authentication is made? Is the arg5 argument always going to be
    >     > not null? Do I have to check it?
    >     >
    >     >      Thanks in advance
    >     >
    >     >
    >     > El 11/05/17 a las 23:16, Major Péter escribió:
    >     >> You really shouldn't use httpservletrequest as a way to retrieve the
    >     >> username. There is absolutely no guarantee that the request will still
    >     >> contain the username.
    >     >> You should look at arg5 (Object session) argument and retrieve the
    >     >> universal ID from there.
    >     >>
    >     >> cheers,
    >     >> Peter
    >     >>
    >     >> 2017. 05. 10. 12:36 keltezéssel, Francisco Rodriguez Corredor írta:
    >     >>> Hi all,
    >     >>>
    >     >>>      I have implemented a SAML2IdentityProviderAdapter on my openAM
    >     >>> Server to get information about the SP and user who have made a SSO
    >     >>> request. After that, my SAML2IdentityProviderAdapter registers collected
    >     >>> data into a database in order to have basic statistics about my system.
    >     >>> I get the username and the SP identificator as it's shown in below code:
    >     >>>
    >     >>>      public boolean preSendResponse(AuthnRequest arg0, String arg1,
    >     >>> String arg2,
    >     >>>              HttpServletRequest arg3, HttpServletResponse arg4,
    >     >>> Object arg5,
    >     >>>              String arg6, String arg7) throws SAML2Exception {
    >     >>>          // TODO Auto-generated method stub
    >     >>>          *String **SPId**= arg0.getIssuer().getValue();**
    >     >>> **        String userID = arg3.getParameter("IDToken1");*
    >     >>>            StatisticThread stat = new StatisticThread(SPId, userID);
    >     >>>            Thread statThread = new Thread(stat);
    >     >>>            statThread.start();
    >     >>>          return false;
    >     >>>      }
    >     >>>
    >     >>>      The problem is that I haved found that in several situations the
    >     >>> userID is get as "Null", is there any explanation? What am I doing
    >     >>> wrong?
    >     >>>
    >     >>>      Thanks in advance.
    >     >
    >     >
    >     _______________________________________________
    >     Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    >     OpenAM mailing list
    >     [hidden email]
    >     https://lists.forgerock.org/mailman/listinfo/openam
    >
    >
    >
    >
    >
    >
    > This email has been scanned for all viruses.
    >
    > Please consider the environment before printing this email.
    >
    > The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.
    >
    > KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.
    >
    > _______________________________________________
    > Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    > OpenAM mailing list
    > [hidden email]
    > https://lists.forgerock.org/mailman/listinfo/openam
    >
    _______________________________________________
    Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    OpenAM mailing list
    [hidden email]
    https://lists.forgerock.org/mailman/listinfo/openam






This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...