Bug 1075982

Summary: [RFE] EAP6-88 - Wrong redirect back to SP from IDP when two Domain Chooser are used
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Lukas <olukas>
Component: DocumentationAssignee: Lucas Costi <lcosti>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: asaldhan, kkhan
Target Milestone: GAKeywords: Documentation, Triaged
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-28 15:37:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1051640    
Attachments:
Description Flags
accountchooser
none
accountchooser2
none
idp1 none

Description Ondrej Lukas 2014-03-13 10:19:47 UTC 
Created attachment 873897 [details]
accountchooser

When two or more SP with Domain Chooser working with same IDP are used at the same time then last hit SP is returned after authentication. It happens when you hit first SP1 and choose IDP1, then hit SP2 and choose IDP1 again. Go back to IDP1 redirected from SP1, authenticate yourself and you should be redirected back to content of SP1, but instead of that you will be redirected to content of SP2.

This bug might be related to bug #1072387 and bug #1071288.
 
Steps to reproduce:
1) Start standalone server and add needed security domains via CLI commands:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")])

/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)

2) Deploy accountchooser.war, accountchooser2.war and idp1.war

3) Open browser and hit http://localhost:8080/accountchooser/ and choose DomainA. Open new tab and hit http://localhost:8080/accountchooser2/ and choose DomainA again. Switch back to previous tab and make a successfull authentication (tomcat/tomcat). You'll get content of accountchooser2 (but in right behavior you should get content of accountchooser).
Comment 1 Ondrej Lukas 2014-03-13 10:20:20 UTC 
Created attachment 873899 [details]
accountchooser2
Comment 2 Ondrej Lukas 2014-03-13 10:20:52 UTC 
Created attachment 873900 [details]
idp1
Comment 6 Lucas Costi 2014-04-09 06:14:05 UTC 
I have added the following 'Important' admonition to the section: "About SAML Web Browser Based SSO"

"If there are two or more SPs both pointing to the same IDP, the IDP does not distinguish between the different SPs. If you make requests to different SPs that point to the same IDP, the IDP handles the most recent request from an SP and sends back SAML assertion about the authenticated user. To get back to the an older SP request, you will need to reenter the SP URL in the browser."

Please let us know if anything needs to be corrected, or if the admonition should go in a different section.

Preview available here: http://docbuilder.usersys.redhat.com/22558/#SAML_Web_Browser_Based_SSO

Topic 2105 updated to revision 628427
Comment 8 Ondrej Lukas 2014-04-17 05:25:39 UTC 
Verified on stage in Revision 6.3.0-10.