SP Initiated Login to external SAML IDP server loses target/RelayState when using Kerberos forms failover

  • 7015780
  • 16-Oct-2014
  • 16-Oct-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

Access Manager setup and working fine with NAM 4.0.1. A internal application is protected with an external contract, so that when executed on the NAM Identity (IDP) server, the authentication request is proxied to an external SAML2 Identity server that NAM has a trust relationship with.

This external IDP server is also running NAM 4.0.1, and the contract we execute there is a kerberos contract. All works fine when the users actually have a kerberos token. When users do not have a kerberos token, we fallback to a name/password type authentication by default. This is where the issue arises - if the user does not click escape when prompted for kerberos token (via 401 popup) or manually enters invalid credentials before submiting credentials from the form based login page, the user simply receives the message on the SAML external IDP server that the user has successfully authenticated, and the session is valid for 60 minutes (which is the default timeout on the contract). The user is not redirected back to the SP.

Exact Use case:
a) user accesses AG PR and gets redirected to IDP server to authenticate with kerb contract
b) IDP (acting as SAML2 SP) kerb contract is an external contract, which is sent to the SAML2 IDP server
c) remote IDP server executes kerberos contract but has no valid valid token. This can happen for many reasons but in their setup, it is because they have multiple domains. If you add your test workstation to a domain which is different to the one configured for NAM, you don't get the option to hit cancel or esc, as the workstation attempts to respond to the negotiate request and simply fails and then presents a form.
d) Kerberos fallback contract NOT executed but we fallback to the default contract for that IDP server instead. In their case it is name/pwd form but regardless, we have lost the security context for the user, as well as the target/relaystate info
e) user enters username/pwd in default contract and gets the IDP portal page indicating that their session is valid for X minutes.

If a popup appeared in c) above AND the user escapes out of the popup page, then we fallback to the kerberos fallback method and all works fine ie. user clicks escape to get the fallback name/pwd login page - user submits credentials to IDP server - IDP server validates credentialks and responds with 200 OK and following javascript (see RelayState)

<form method="POST" enctype="application/x-www-form-urlencoded" action="http://147.2.16.109:888/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"> <input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50Om9idGFpbmVkIiBEZXN0aW5hdGlvbj0iaHR0cDovLzE0Ny4yLjE2LjEwOTo4ODgvc2ltcGxlc2FtbC9tb2R1bGUucGhwL3NhbWwvc3Avc2FtbDItYWNzLnBocC9kZWZhdWx0LXNwIiBJRD0iaWRvV2hMbURYbXFRcVRkSHB5SnZBbnpZcHZPZzAiIEluUmVzcG9uc2VUbz0iXzRhZmIyYTg3ZTg0YWFjNDg3NzZmOTUyZmIwMGQzYThmOTk4ODY5YzBiMiIgSXNzdWVJbnN0YW50PSIyMDE0LTA5LTE5VDA5OjAxOjA1WiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9uYW00MHNiYS5sYWIubm92ZWxsLmNvbS9uaWRwL3NhbWwyL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gSUQ9ImlkT2hiVUZZNGQxY25ZOVM5czc5RDhPSTBaSGhNIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDktMTlUMDk6MDE6MDVaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL25hbTQwc2JhLmxhYi5ub3ZlbGwuY29tL25pZHAvc2FtbDIvbWV0YWRhdGE8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkT2hiVUZZNGQxY25ZOVM5czc5RDhPSTBaSGhNIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxEaWdlc3RWYWx1ZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+enV2eWt4Z3pzZ3Z2VVptUmY5RmN2QnZmcWFJPTwvRGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+ClplcGFFRUk0NG5BbHEzNGxBMm15R0x5cjVHclZibFV4aTRJQm03WFpMTUl3eHBYZlA4Q1BSeXc3Q0tvRWxyZ1c0TUp1WW1xWVU1cXYKaFdZWDdvQlorSlB6V0hNc1IwbUF5OVFKQmtJS0wwWUlGakRtVGpCeVVNWGorOUpRdVNSUzdYaW80T1BQNTZKTU9XMGtNMzJ0SG1WUQpLenZhMVNjYjVUWktIYVlUbU1DRFFrR2pyQ2RzaDZ6enNUWVBKWmQ3YldrOU9Ib3hBSnJVYTlHTlBsRzVhWUdIRGpEcWtycGhXbmlsCjVoQVd4bWp1WERZemloK1RuWENVYnJETnUvNkg2VnQ4RHpHMkI2NElndVltMlBWbUdoNGZnL2FMQXJVeHdqTjE4aGVFUHJraGVIVEsKSlFnWjNtUkJ0VUVpL09SSURzbDhvV2ptcWEzRXVDYmVtVjhza2c9PQo8L1NpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPgpNSUlGQ2pDQ0EvS2dBd0lCQWdJa0Fod1IvNmI5SW00R0NHbjZOdHRzMHlleHVJSEZZNkpRTnErSFVXeGtBZ0lXQ3lmQU1BMEdDU3FHClNJYjNEUUVCQlFVQU1EUXhHakFZQmdOVkJBc1RFVTl5WjJGdWFYcGhkR2x2Ym1Gc0lFTkJNUll3RkFZRFZRUUtGQTF1WVcwME1ITmkKWVY5MGNtVmxNQjRYRFRFek1URXlOREUxTURNeE5Wb1hEVEl6TVRFeU5ERTFNRE14TlZvd0lqRWdNQjRHQTFVRUF4TVhibUZ0TkRCegpZbUV1YkdGaUxtNXZkbVZzYkM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDb05vUHZ4a3ozCnRFUlRmUGphRUp0SjRLR2hjN3JJaXNtaFhXUUhkQ1owUGpOUU9hUCs5SGlDWUVPdlR5NFZjLzdQUVdiUnE1dzRpQVhxQ1hzdGdRcFUKdjZVVXg0UTU5YVNIRnloNk96YVpoRFB4bGdFVzlES1VQdGNxSFpiRm9hMFVzMklLUTVycUpJT1plMWw3VW5xZiswSjEwTzhNMUFETQo5RkwxaEFKU2RVRXQ5L200OEYvcEs2bFNQSS8rTWJmR0U4VGpJQm5XZWNxSGN4QlJrNjhBUndKZ1pVODZYM2xiLzNvYnl5Rk5pUzVvCnRFS2NsZWYyQXZIRngwN25oZm5xMDB5SExXV0VxcWlMMjJOby9OTGdJNGRLUWxVV0hUN25NY2d1WUJDYTAxNGY4T2NpaDh4eVJYa1EKV3JER0VnTUxhaDV6ZitpNUF0Z2NZRGRWb0kzekFnTUJBQUdqZ2dJVU1JSUNFREFkQmdOVkhRNEVGZ1FVVVE4Ym81UU5EbzlrNEJJYgp3S241MGIwOVdnTXdId1lEVlIwakJCZ3dGb0FVcnArTkx2c2F2LzZDbmZNVmVET2ZuS2Iyallnd2dnSE1CZ3RnaGtnQmh2ZzNBUWtFCkFRU0NBYnN3Z2dHM0JBSUJBQUVCL3hNZFRtOTJaV3hzSUZObFkzVnlhWFI1SUVGMGRISnBZblYwWlNoMGJTa1dRMmgwZEhBNkx5OWsKWlhabGJHOXdaWEl1Ym05MlpXeHNMbU52YlM5eVpYQnZjMmwwYjNKNUwyRjBkSEpwWW5WMFpYTXZZMlZ5ZEdGMGRISnpYM1l4TUM1bwpkRzB3Z2dGSW9Cb0JBUUF3Q0RBR0FnRUJBZ0ZHTUFnd0JnSUJBUUlCQ2dJQmFhRWFBUUVBTUFnd0JnSUJBUUlCQURBSU1BWUNBUUVDCkFRQUNBUUNpQmdJQkZ3RUIvNk9DQVFTZ1dBSUJBZ0lDQVA4Q0FRQUREUUNBQUFBQUFBQUFBQUFBQUFBRENRQ0FBQUFBQUFBQUFEQVkKTUJBQ0FRQUNDSC8vLy8vLy8vLy9BUUVBQWdRRzhOOUlNQmd3RUFJQkFBSUlmLy8vLy8vLy8vOEJBUUFDQkFidzMwaWhXQUlCQWdJQwpBUDhDQVFBRERRQkFBQUFBQUFBQUFBQUFBQUFEQ1FCQUFBQUFBQUFBQURBWU1CQUNBUUFDQ0gvLy8vLy8vLy8vQVFFQUFnUVIvNmI5Ck1CZ3dFQUlCQUFJSWYvLy8vLy8vLy84QkFRQUNCQkgvcHYyaVRqQk1BZ0VDQWdFQUFnSUEvd01OQUlBQUFBQUFBQUFBQUFBQUFBTUoKQUlBQUFBQUFBQUFBTUJJd0VBSUJBQUlJZi8vLy8vLy8vLzhCQVFBd0VqQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFEQU5CZ2txaGtpRwo5dzBCQVFVRkFBT0NBUUVBaDJrcTN0c2h5VEZDR29oaU9Ib0dEam1YZUxkbnpFSlZaend6bXJqMm1rdTkwMGdSYWpYT2RyRmhqUnJUCkx3NFJmMUZuaDViQlV3QnUzUGFwSDBMTTE0RTNaNGlYOFpFQTVMWjdhOGpick4yK0gyRE5IenVXYlg1MFA2TVhrRFVYMHlZNVZ1SWUKdzNzUjgzZGEweGhwSUdGbFA0ZVhveEprQi9IczFwdFJhb1JIOU5najdydzYyT09RejMrWGRRcUl5M1hQQ3d3WHpvUXFROHQ5RzJpTApYQnllR08rZmFXeFd6RitFYXdFQ0RUVUVrclBsVmMzODF2U05mS0dJRGFLOEdEMGJiWVJiRVc1dGJ2MGdIYWI0Yk5rWVRZN3lIdnVGCkxzRGhSNUFFKzVNUEFjdVNIcDE3RnJQaHpJOFBGT3RpOERpdFdKaGNZL3oyOGhaejdITFpCdz09CjwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vbmFtNDBzYmEubGFiLm5vdmVsbC5jb20vbmlkcC9zYW1sMi9tZXRhZGF0YSIgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc2ltcGxlc2FtbDEwOS5sYWIubm92ZWxsLmNvbS8iPm5hYWZ1c2VyQGFnNGNkZW1vLmluZm88L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il80YWZiMmE4N2U4NGFhYzQ4Nzc2Zjk1MmZiMDBkM2E4Zjk5ODg2OWMwYjIiIE5vdE9uT3JBZnRlcj0iMjAxNC0wOS0xOVQxMDowMTowNVoiIFJlY2lwaWVudD0iaHR0cDovLzE0Ny4yLjE2LjEwOTo4ODgvc2ltcGxlc2FtbC9tb2R1bGUucGhwL3NhbWwvc3Avc2FtbDItYWNzLnBocC9kZWZhdWx0LXNwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDktMTlUMDg6NTY6MDVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDktMTlUMDk6MDY6MDVaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zaW1wbGVzYW1sMTA5LmxhYi5ub3ZlbGwuY29tLzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDktMTlUMDk6MDE6MDVaIiBTZXNzaW9uSW5kZXg9ImlkT2hiVUZZNGQxY25ZOVM5czc5RDhPSTBaSGhNIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6S2VyYmVyb3M8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PHNhbWw6QXV0aG5Db250ZXh0RGVjbFJlZj51cmkva2VyYjwvc2FtbDpBdXRobkNvbnRleHREZWNsUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5uYWFmdXNlckBhZzRjZGVtby5pbmZvPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0ic24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPm5hYWZ1c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPm5hYWZ1c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+"/> <input type="hidden" name="RelayState" value="http://147.2.16.109:888/simplesaml/module.php/core/authenticate.php?as=default-sp"/> </form>

- user is redirected to SAML SP and eventually to AG PR

Resolution

Added a tomcat filter that stripped the sid parameter coming into the SAML2 IDP server eg.

            String sid = (String) session.getAttribute("sid");
           
            if(sid != null)
            {
                httpReq.setAttribute("sid", sid);
                session.removeAttribute("sid");
            }

Applying that to the IDP as a tomcat filter worked around the issue.