Bug 1075982 - [RFE] EAP6-88 - Wrong redirect back to SP from IDP when two Domain Chooser are used
Summary: [RFE] EAP6-88 - Wrong redirect back to SP from IDP when two Domain Chooser ar...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: GA
: EAP 6.3.0
Assignee: Lucas Costi
QA Contact: Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: eap63-beta-blockers
TreeView+ depends on / blocked
 
Reported: 2014-03-13 10:19 UTC by Ondrej Lukas
Modified: 2014-08-14 15:22 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-06-28 15:37:48 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
accountchooser (26.61 KB, application/zip)
2014-03-13 10:19 UTC, Ondrej Lukas 		no flags Details
accountchooser2 (64.87 KB, application/zip)
2014-03-13 10:20 UTC, Ondrej Lukas 		no flags Details
idp1 (160.11 KB, application/zip)
2014-03-13 10:20 UTC, Ondrej Lukas 		no flags Details
View All

Description Ondrej Lukas 2014-03-13 10:19:47 UTC 
Created attachment 873897 [details]
accountchooser

When two or more SP with Domain Chooser working with same IDP are used at the same time then last hit SP is returned after authentication. It happens when you hit first SP1 and choose IDP1, then hit SP2 and choose IDP1 again. Go back to IDP1 redirected from SP1, authenticate yourself and you should be redirected back to content of SP1, but instead of that you will be redirected to content of SP2.

This bug might be related to bug #1072387 and bug #1071288.
 
Steps to reproduce:
1) Start standalone server and add needed security domains via CLI commands:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")])

/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)

2) Deploy accountchooser.war, accountchooser2.war and idp1.war

3) Open browser and hit http://localhost:8080/accountchooser/ and choose DomainA. Open new tab and hit http://localhost:8080/accountchooser2/ and choose DomainA again. Switch back to previous tab and make a successfull authentication (tomcat/tomcat). You'll get content of accountchooser2 (but in right behavior you should get content of accountchooser).
Comment 1 Ondrej Lukas 2014-03-13 10:20:20 UTC 
Created attachment 873899 [details]
accountchooser2
Comment 2 Ondrej Lukas 2014-03-13 10:20:52 UTC 
Created attachment 873900 [details]
idp1
Comment 6 Lucas Costi 2014-04-09 06:14:05 UTC 
I have added the following 'Important' admonition to the section: "About SAML Web Browser Based SSO"

"If there are two or more SPs both pointing to the same IDP, the IDP does not distinguish between the different SPs. If you make requests to different SPs that point to the same IDP, the IDP handles the most recent request from an SP and sends back SAML assertion about the authenticated user. To get back to the an older SP request, you will need to reenter the SP URL in the browser."

Please let us know if anything needs to be corrected, or if the admonition should go in a different section.

Preview available here: http://docbuilder.usersys.redhat.com/22558/#SAML_Web_Browser_Based_SSO

Topic 2105 updated to revision 628427
Comment 8 Ondrej Lukas 2014-04-17 05:25:39 UTC 
Verified on stage in Revision 6.3.0-10.
Note You need to log in before you can comment on or make changes to this bug.