SAML proxy subject issue with oidc plugin

Martin Leonhartsberger m.leonhartsberger at cumulo.at
Tue Jun 13 14:42:46 UTC 2023 

dear list,

following setting: shibboleth 4.3.1 + oidc 3.4.0 plugin
using saml proxy for authentication to an saml-upstream-idp

some attributes are subject derived from the upstream IDP, authorization code flow design

on an oidc based sp logon it performs as follows:

  *   saml proxy authentication
  *   oidc authorization works, attributes being resolved, subject canonicalization works, all upstream subject derived attributes resolved (though not needed in that step)
  *   rp now issues token request with accesstoken/authorization code flow (from server, not from client any more, in own session)
     *   attributes are being resolved again, which works for all local available attributes
     *   upstream subject is now not available, possibly because the subject from the upstream is contained in the user session and not related to the access token?
     *   So subject derived attributes cannot be resolved.
  *   though the upstream subject is still available (but I suspect in the user session from authorization, not in the Server-to-Application TokenResponse Session)

any ideas how to solve that?

best regards,
Martin




## Token Request which does not find Subject
2023-06-13 15:34:04,568 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractInitializeOutboundResponseMessageContext:69] - Profile Action InitializeOutboundTokenResponseMessageContext: Initialized outbound message context
2023-06-13 15:34:04,570 - x.x.x.252- DEBUG [PROTOCOL_MESSAGE.OAUTH2:77] - OIDCTokenRequestDecoder{authorizationGrant=AuthorizationCodeGrant{authorizationCode=***, codeVerifier=com.nimbusds.oauth2.sdk.pkce.CodeVerifier at 1f76d5cf<mailto:codeVerifier=com.nimbusds.oauth2.sdk.pkce.CodeVerifier at 1f76d5cf>, redirectionURI=***, type=authorization_code}, clientAuthentication=ClientAuthentication{clientId=***, method=client_secret_basic}, customParameters={}, endpointURI=https://127.0.0.1:8080/idp/profile/oidc/token}
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:169] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'net.shibboleth.idp.plugin.oidc.op.profile.impl.OIDCMetadataLookupHandler' on INBOUND message context
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:190] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'com.nimbusds.oauth2.sdk.TokenRequest'
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.OIDCMetadataLookupHandler:121] - Message Handler:  net.shibboleth.oidc.metadata.context.OIDCMetadataContext added to MessageContext as child of org.opensaml.messaging.context.MessageContext
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.InitializeRelyingPartyContext:162] - Attaching RelyingPartyContext for ***
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.InitializeRelyingPartyContext:168] - Profile Action InitializeRelyingPartyContext: Setting the rp context verified
2023-06-13 15:34:04,571 - x.x.x.252- DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:253] - Resolving relying party configuration
2023-06-13 15:34:04,573 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:174] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request
2023-06-13 15:34:04,573 - x.x.x.252- DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:147] - Profile Action PopulateProfileInterceptorContext: No inbound interceptor flows active for this request
2023-06-13 15:34:04,574 - x.x.x.252- DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:222] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2023-06-13T13:34:04.573998Z, isPassive=false, forceAuthn=false, requiredName=null, hintedName=null, maxAge=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, authenticationResult=null, completionInstant=null}
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:213] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:57] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:76] - Profile Action FilterFlowsByNonBrowserSupport: Retaining flow authn/OAuth2Client, it supports non-browser authentication
2023-06-13 15:34:04,575 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:88] - Profile Action FilterFlowsByNonBrowserSupport: Potential authentication flows left after filtering: [authn/OAuth2Client]
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:274] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:312] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2023-06-13 15:34:04,576 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:369] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/OAuth2Client
2023-06-13 15:34:04,582 - x.x.x.252- DEBUG [net.shibboleth.idp.plugin.oidc.op.authn.impl.OIDCClientInfoCredentialValidator:143] - Credential Validator oauth2-clientinfo: Attempting to authenticate effective client ID ***
2023-06-13 15:34:04,583 - x.x.x.252- INFO [net.shibboleth.idp.plugin.oidc.op.authn.impl.OIDCClientInfoCredentialValidator:152] - Credential Validator oauth2-clientinfo: Login by *** succeeded
2023-06-13 15:34:04,583 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.AbstractValidationAction:398] - Profile Action ValidateCredentials: Adding custom Principal(s) defined on underlying flow descriptor
2023-06-13 15:34:04,583 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] - Profile Action PopulateSubjectCanonicalizationContext: Installing 3 canonicalization flows into SubjectCanonicalizationContext
2023-06-13 15:34:04,584 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/attribute for applicability...
2023-06-13 15:34:04,584 - x.x.x.252- DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - Profile Action SelectSubjectCanonicalizationFlow: Selecting canonicalization flow c14n/attribute
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:251] - Attribute Resolver 'ShibbolethAttributeResolver': Initiating attribute resolution with label: c14n/attribute
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:280] - Attribute Resolver 'ShibbolethAttributeResolver': Attempting to resolve the following attribute definitions [canonicalUsername]
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:469] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'canonicalUsername'
2023-06-13 15:34:04,585 - x.x.x.252- DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:478] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'canonicalUsername'
2023-06-13 15:34:04,585 - x.x.x.252- INFO [net.shibboleth.idp.attribute.resolver.ad.impl.ContextDerivedAttributeDefinition:176] - SubjectDerivedAttributeDefinition canonicalUsername Generated no values, no attribute resolved


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230613/6e9d57ed/attachment.htm>

More information about the users mailing list