Issues with openam federation (with apacheds as data store)

StackOverflow https://stackoverflow.com/questions/13152660

Question

Please help me out with this: I am trying to setup federation with one idp and one sp in openam. Data store being used is ApacheDS. I am trying to follow the following tutorial for the same.

http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html

I was receiving following error in the openam logs during Test Federation Connectivity (from console)**

libSAML2:10/30/2012 06:48:41:399 PM IST: Thread[http-8080-1,5,main]
AccountUtils.setAccountFederation:  set fedinfo {sun-fm-saml2-nameid-info=[http://www.idp.com:8080/openam_10.0.0|http://www.sp.com:8090/openam_10.0.0|WC++1dcclPD//rTlgpYLD0EEISg2|http://www.idp.com:8080/openam_10.0.0|urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|null|http://www.sp.com:8090/openam_10.0.0|IDPRole|false], sun-fm-saml2-nameid-infokey=[http://www.idp.com:8080/openam_10.0.0|http://www.sp.com:8090/openam_10.0.0|WC++1dcclPD//rTlgpYLD0EEISg2]} userID = id=appu,ou=user,dc=opensso,dc=java,dc=net
libPlugins:10/30/2012 06:48:41:543 PM IST: Thread[http-8080-1,5,main]
ERROR: IdRepoDataStoreProvider.setAttribute(): IdRepo exception
Message:Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception.  LDAP Error 16: The specified attribute could not be found.
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.handleLDAPException(LDAPv3Repo.java:6117)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:4141)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:3921)
                        at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1701)

Which probably meant that openam was trying to use some LDAP attribute which wasn’t present (since I created minimal attribute set in ApacheDS). So I went to Data store settings in both IDP and SP and removed the non-available attributes from LDAP User Attributes. Now it is giving the following error:

WARNING: IdServicesImpl.setAttributes: Unable to modify identity in the following repository com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo :: Illegal arguments: One or more required arguments is null or empty
amIdm:10/31/2012 10:20:26:362 AM IST: Thread[http-8080-1,5,main]
IdServicesImpl.setAttributes: Unable to set attributes in the following repository com.sun.identity.idm.plugins.internal.SpecialRepo :: Plug-in com.sun.identity.idm.plugins.internal.SpecialRepo does not support operation edit for type {2}
amIdm:10/31/2012 10:20:26:362 AM IST: Thread[http-8080-1,5,main]
WARNING: IdServicesImpl.setAttributes: Unable to set attributes  for identity user::appu in any configured data store
Message:Illegal arguments: One or more required arguments is null or empty
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:4039)
                        at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.setAttributes(LDAPv3Repo.java:3921)

Some forums are saying that attributes like sun-fm-saml2-nameid-info and sun-fm-saml2-nameid-infokey are required. But I cannot add them to my data store as they don’t match with schema. Also I am unable to import the LDIFs given in openam installation to Apache DS. I have two questions: 1. I am going in the right direction (Adding attributes to Apache ds data store will help) ? If yes how can I push openam related schmea items in Apache ds as well? 2. Is there something I am missing here completely.

Was it helpful?

Solution

Depending on the SAML NameID-Format, OpenAM will try to save Federation info in the user data store. By default these attributes are "sun-fm-saml2-nameid-info" and "sun-fm-saml2-nameid-infokey", but you can change the attribute names to anything you'd like on the Configuration -> Global -> SAMLv2 Service Configuration page.

In case your SP is using transient NameID-Format, this info won't be saved.

In case your SP is using unspecified NameID-Format, then on the remote SP configuration on the Assertion Content page you can use the option called: "Disable Federation persistence if NameID Format is unspecified", to disable this data store update.

In any other case OpenAM will try to save/use Account Federation to/from data store, which means that it will try to change/read the attribute in the data store as well. If your data store is unable to recognize these attributes, then it will throw an error as you've mentioned. Also it is most likely that when you use OpenDJ, the OpenAM schema is loaded there, hence the attribute can be saved.

In OpenAM 10.1.0 there will be an option to disable this update IF the ignored user profile mode is being used: https://bugster.forgerock.org/jira/browse/OPENAM-1427 .

So your current options are:

  • change the NameID-Format in your setup to transient/unspecified as described earlier
  • change the attributenames in the configuration to attributes, that are actually present in your ApacheDS schema
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top