2

Scenario:

1) Browser(User) requests resource from Service Provider (SP).

2) SP Redirects (with SAML Request) to Identity Provider (IdP).

3) Since it is first login, User gives the (IdP) his/her valid credentials.

4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.

  • After creation of user, If I try to authenticate it works as expected but when I change user data on idp, and try after cleaning complete browser data in any of browser (firefox, chrome) it shows only old assertion data in SAML response on the way to idp to sp.
  • Even I have deleted user on idp and created again with same email id with different user data it shows only old user data in SAML response.
  • There is nothing exist on browser side even cleaned cached data , cookies, and re-installed browser too.

I have gone through : Are SAML tokens cache/stored anywhere on the browser? Not helped.

I there any settings on idp (OpenAM) side to resolve it? (I have unchecked Disable Federation persistence if NameID Format is unspecified:)

idp: OpenAM-12.0.0, sp: redmine SAML ominiauth

So what I miss here, I don't get it.

Community
  • 1
  • 1
Umesh Rajani
  • 139
  • 2
  • 13

1 Answers1

1

I got a solution by exploring the stuff at OpenAM side. There is no issue with SAML plugin. It is OpenAM which cached SAML assertion attributes so every time it takes old assertion with SAML response. To resolve issue need to follow below steps in OpenAM:

1) Select Federation-Select SP (from entity provider list)-Assertion content

-Check "Disable Federation persistence if NameID Format is unspecified:"

2) If above case won't work then follow this process:

-Select configuration-Servers and Sites-Default Server Settings:

-Add following properties:

 -com.sun.identity.idm.cache.entry.expire.enabled=true
 -com.sun.identity.idm.cache.entry.user.expire.time=10
 -com.sun.identity.idm.cache.entry.default.expire.time=10
Umesh Rajani
  • 139
  • 2
  • 13