Policy Server OIDC doesn't handle swedish character in user name

book

Article ID: 220743

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running Policy Server for an OIDC Journey as OIDC Provider, the
Policy Server is unable to retrieve user name with Å, Ä, and Ö
character from session token.

This happens when the Policy Server request the UserInfo Endpoint
authenticates the request and returns claims about the user.

  To illustrate :
  Ånonkerg

 

Cause

 

Policy Server produces the code correctly :

smtracedefault.log :

  [06/14/2021][18:22:45.613][18:22:45][20390][140577618253568][SmMessage.cpp:557]
  [CSmMessage::ParseAgentMessage][s2306859/r5][oidcp:myprovider][][][][][]
  [][][][][][][][][][][][][/&SMASSERTIONREF=QUERY&response_type=code
  &client_id=0002668f-1ff8-1042-b4c5-05210a640000&scope=openid%20profile%20email
  &state=qBSnENzUFkmON_kdN4LYVmsPVFqhxnrl72Li_mQNSwE%3D
  &redirect_uri=https://myservice.mydomain.com&scope=openid%20profile
  %20email%20userDetail%20Roles&authenticationURL=https://mycompany.mycompany.com/
  affwebservices/CASSO/oidc/authorize&Oid=null][Receive request attribute 201, data size is 374]

  [06/14/2021][18:22:45.620][18:22:45][20390][140577618253568][OIDCSessionManager.java]
  [updateDataForAzCode][b1a81ab7-a0588e48-781b8a95-49f72506-8c9d1725-5a][][][][]
  [][][][][][][][][][][][][][][][JSON internalData after encryption:
eyJhYyI6Ik5qQTNNek5oTVRRdE5EazJNeTAwWW1ZM0xdasadasdXVTVEYVhNNFUyVnJXbV4dHJhbmV0LG91PVVTRVJTLG89VE9ZT1RBIiwicnVyaSI6Imh0dHBzOi8vZDJqZmJpZnE2c3J3bTEuY2xvdWRmcm9udC5uZXQiLCJzIjoib3BlbmlkIGVtYWlsIHVzZXJEZXRhaWwgUm9sZXMiLCJhdCI6MTYyMzY4Nzc2NSwidWRvaWQiOiIwZS0zY2U0ZDBhNy0xNTkzLTAwMWItMDAwMC0wMzY4MDAwMDAzNjgiLCJyZXZvIjpmYWxzZSwidGl0IjowLCJydGl0IjowLCJzdCI6IjQyOElGaGJ2L1liVUlyT3RvaGtCMktpS1U3S2hlLy85K09Eb1BSMHErVDlvaVRuUzZ1VXVPaEdIL2l0M2x6VGFjbjJUU2lMeUdaOWQ0dVAzcldhd0hMVjJuOFd2Yk1udHlEcjg3N2FJakJLY25tWWNYei92bHdpUndiZjFuY2huWjZHMWJBYlMyOTNFRTVtUlF3K0FNczR1dHJFVHJBY25RU2tMNm95SlpTaURHU010blQvU3Q3d0ZFTm5uM3pITExNL2NMeGc5WmRScXJNZlRLZUZFMmQyMlJTK1MzSjBpaWRDKzJOTmpPYVlOYllEbG9UK0NGdWVoUkFQQURwT2tRQTdmQTBNenhPZXk2cVFIL1dDaFdHZkFxWHhDR3BFK3dFdmhKSXN4azNtNXRPeVkxMUQ0WTlUWVIyVTBBTis1dEFHK0FFQ1FNOHBwR1dDQkdvaHVTelBxTlk2czhrR3lZaHB6SFYyV2lVS0lVaU4xKzVFM2tjM0ppTDNKRnFZbHpYN3ZDY3pER3B4THgzV2VvV3UyeWtNTSs1VEpuZGlMdFZ0SU9DTVdKd0FYQnpHbllZR3kyS0E0SjBlWks3eVNmSjNDSHVPcitGU2tVOERteUFHMUROZG9qU3h2OTFHb2oraUxjYVBZSWVOVE5rSndtMEJ6cUdBcTFraGg0TVYwQ3hpVk9ZZ2NINlFPdXZpWDVudmxIaGg1TXlINXR1MWlHS0FIZXlXMWdOd1U3aFhmS1crUkd3UjlSVU9oYkcrNHpFdnNHT1lmY0pXSE9xclhPVlIxM3UrVzJjQ0dzMHdmbXRFUTJMTjJxVUdCaHNFTzY1Q1Npa3VPeXZIMzZ4NzIvSkU3ajFLRm5LOFg5c1dCSGFiLzdRRGpVUExRNXZySHpwTEJhdFMzRTRjZloyZHh5Y0xrbG9lTDVOcEpFS0E4VzB0d09tbTFJVnMxeWdoNjRsN1lQMTJXV1VtTDdkSDNHQ1Z3d3BMbWdHWVFMWkZZTnNYeXhkbnNJalpBZHh3L3JPS1dkakZwSjVaTlpDc3dLcHNoaEVwNUI1aVFwS0ZiVktoQkNiMVhkeEhCOFRramlETHJYSFhWSlBQbVRGZ2Y5SjVTVlIxR3d6d0YxQkc3aFNUWW5ncmVEUFZyUlZReDJqd2pISTJxN2pFQXQ3UHpoVUpjOU1zMm9XcjJVY213SFVVVzI0RzVualYxcHRqZ1VuRERTUkVHVm5DOTdiNEE0Zkt0aEZSZFZmWllPZEI5ZlRoWEQrQjZlMU1iRytBTE1OcDQxTnJJdGMxY3BVSjMvd1M2RXF4VU1XTnZ2ZHRaOGx2UDliZDFnUmJ1TEQ5OXpOa1FqcE9qdEpIeXhIcXhlUG1HZ2ZCbHdaSW9IVzA1MXNybkFtU2p2MmQ1cFRGOUYzY21xTWcyWncreEJzazRIUW4rOEF4RWZzZ3FJN0RFM0o3Q0JmaE12UFV1SWNoRW5mYWFHSlh4L0ZiMzExbmdZUE9LQk55Z0ZuN1RmRXBOTno2Rnlyd2JoUlQwVTlVejhPd0U1UmJNWmZ2VlAyZk4rZDNGQ3l3d2pwRTFrYjh1eWZyUE56dm9HRlpaNlE5R0wrN1pMZCt4dnNkNzJTbjdFOWRZcDZrQ2VHZFhwMVUwN29oT0FOTHZuQUliOERTdnp1akRWNjdpNEhCQzRwV3lSVEc1WjR1MWtCMlhGdDlyYmJiOVJmdWF6ajFCQWhIakdmTWF2Qzhaak5uUkZ4MXprMFE3V1JjNjN4Ym8xd05LMDZQengzWHNJWjdjNWwvRSJ]
  which is base64 decoded as (Ånonkerg) :
  
  ({"ac":"NjA3MzNhMTQtNDk2My00ddsaadaskZDJkMTdjLUltWU5DaXM4U2VrWnhpR0ozbHVOa2ZMRE9YST0=","cid":"0002668f-1ff8-1042-b4c5-05210a640000","uid":"cn=Å[email protected],ou=People,ou=)

  [06/14/2021][18:22:45.622][18:22:45][20390][140577618253568][Sm_Az_Message.cpp:828]
  [CSm_Az_Message::FormatAttribute][s2306859/r5][oidcp:myprovider][]
  [Å[email protected]][][oidcp:myprovider_az][oidcp:myprovider][][]
  [][][][][][][][][][][code=NjA3MzNhMTQtNDk2My00YmY3LWI2NjgtNDJlNDZkZDJkMTdreewqdasdpR0ozbHVOa2ZMRE9YST0=]
  [Send response attribute 255, data size is 93]

and when it receives it back, it receives it as correctly as well :

"cn=Å[email protected]" :

  [06/14/2021][18:22:46.362][18:22:46][20390][140577500821248][OIDCSessionManager.java]
  [getSessionVariable][][][][][][][][][][][][][][][][][][][][]
  [JSON Data before decrypt : 
eyJhYyI6Ik5qQTND0iLCJjaWQiOiIwMDAyNjY4Zi0xZmY4LTEwNDItYjRjNS0G91PVVTRVJTLG89VE9ZT1RBIiwicnVyaSI6Imh0dHBzOi8vZDJqZmJpZnE2c3J3bTEuY2xvdWRmcm9udC5uZXQiLCJzIjoib3BlbmlkIGVtYWlsIHVzZXJEZXRhaWwgUm9sZXMiLCJhdCI6MTYyMzY4Nzc2NSwidWRvaWQiOiIwZS0zY2U0ZDBhNy0xNTkzLTAwMWItMDAwMC0wMzY4MDAwMDAzNjgiLCJyZXZvIjpmYWxzZSwidGl0IjowLCJydGl0IjowLCJzdCI6IjQyOElGaGJ2L1liVUlyT3RvaGtCMktpS1U3S2hlLy85K09Eb1BSMHErVDlvaVRuUzZ1VXVPaEdIL2l0M2x6VGFjbjJUU2lMeUdaOWQ0dVAzcldhd0hMVjJuOFd2Yk1udHlEcjg3N2FJakJLY25tWWNYei92bHdpUndiZjFuY2huWjZHMWJBYlMyOTNFRTVtUlF3K0FNczR1dHJFVHJBY25RU2tMNm95SlpTaURHU010blQvU3Q3d0ZFTm5uM3pITExNL2NMeGc5WmRScXJNZlRLZUZFMmQyMlJTK1MzSjBpaWRDKzJOTmpPYVlOYllEbG9UK0NGdWVoUkFQQURwT2tRQTdmQTBNenhPZXk2cVFIL1dDaFdHZkFxWHhDR3BFK3dFdmhKSXN4azNtNXRPeVkxMUQ0WTlUWVIyVTBBTis1dEFHK0FFQ1FNOHBwR1dDQkdvaHVTelBxTlk2czhrR3lZaHB6SFYyV2lVS0lVaU4xKzVFM2tjM0ppTDNKRnFZbHpYN3ZDY3pER3B4THgzV2VvV3UyeWtNTSs1VEpuZGlMdFZ0SU9DTVdKd0FYQnpHbllZR3kyS0E0SjBlWks3eVNmSjNDSHVPcitGU2tVOERteUFHMUROZG9qU3h2OTFHb2oraUxjYVBZSWVOVE5rSndtMEJ6cUdBcTFraGg0TVYwQ3hpVk9ZZ2NINlFPdXZpWDVudmxIaGg1TXlINXR1MWlHS0FIZXlXMWdOd1U3aFhmS1crUkd3UjlSVU9oYkcrNHpFdnNHT1lmY0pXSE9xclhPVlIxM3UrVzJjQ0dzMHdmbXRFUTJMTjJxVUdCaHNFTzY1Q1Npa3VPeXZIMzZ4NzIvSkU3ajFLRm5LOFg5c1dCSGFiLzdRRGpVUExRNXZySHpwTEJhdFMzRTRjZloyZHh5Y0xrbG9lTDVOcEpFS0E4VzB0d09tbTFJVnMxeWdoNjRsN1lQMTJXV1VtTDdkSDNHQ1Z3d3BMbWdHWVFMWkZZTnNYeXhkbnNJalpBZHh3L3JPS1dkakZwSjVaTlpDc3dLcHNoaEVwNUI1aVFwS0ZiVktoQkNiMVhkeEhCOFRramlETHJYSFhWSlBQbVRGZ2Y5SjVTVlIxR3d6d0YxQkc3aFNUWW5ncmVEUFZyUlZReDJqd2pISTJxN2pFQXQ3UHpoVUpjOU1zMm9XcjJVY213SFVVVzI0RzVualYxcHRqZ1VuRERTUkVHVm5DOTdiNEE0Zkt0aEZSZFZmWllPZEI5ZlRoWEQrQjZlMU1iRytBTE1OcDQxTnJJdGMxY3BVSjMvd1M2RXF4VU1XTnZ2ZHRaOGx2UDliZDFnUmJ1TEQ5OXpOa1FqcE9qdEpIeXhIcXhlUG1HZ2ZCbHdaSW9IVzA1MXNybkFtU2p2MmQ1cFRGOUYzY21xTWcyWncreEJzazRIUW4rOEF4RWZzZ3FJN0RFM0o3Q0JmaE12UFV1SWNoRW5mYWFHSlh4L0ZiMzExbmdZUE9LQk55Z0ZuN1RmRXBOTno2Rnlyd2JoUlQwVTlVejhPd0U1UmJNWmZ2VlAyZk4rZDNGQ3l3d2pwRTFrYjh1eWZyUE56dm9HRlpaNlE5R0wrN1pMZCt4dnNkNzJTbjdFOWRZcDZrQ2VHZFhwMVUwN29oT0FOTHZuQUliOERTdnp1akRWNjdpNEhCQzRwV3lSVEc1WjR1MWtCMlhGdDlyYmJiOVJmdWF6ajFCQWhIakdmTWF2QzhaakngzWHNJWjdjNWwvRSJ]

  which is base64 decoded as (Ånonkerg) :

  ({"ac":"NjA3MzNhdasadasadasahrhflkhjelqejdladjLUltWU5DaXM4U2VrWnhpR0ozbHVOa2ZMRE9YST0=","cid":"0002668f-1ff8-1042-b4c5-05210a640000","uid":"cn=Å[email protected],ou=Peo)

but the "unmarchallisation" seems not to handle the Å character
correctly, and it reports this character as not showable

userId=cn=Å�[email protected] :

  [06/14/2021][18:22:46.362][18:22:46][20390][140577500821248][OIDCSessionManager.java]
  [getSessionVariable][][][][][][][][][][][][][][][][][][][][]
  [Data after unmarshalling from decrypted JSON: OpenIDConnectInternalData
  [azCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXST0=, clientId=0002668f-1ff8-1042-b4c5-05210a640000,

userId=cn=.�[email protected],ou=People,ou=myCompany, redirectURI=https://myservice.mydomain.com, scope=openid email userDetail Roles, authTime=1623687765, userDirectoryOID=0e-3ce4d0a7-1593-001b-0000-036800000368, isRevoked=false, refreshTokenIssuedTime=0, tokenIssuedTime=0]]

Environment

 

  Policy Server 12.8SP2 on Linux;
  Policy Store on CA Directory 12.6.00; 
  CA Access Gateway (SPS) 112.8SP2 on;

 

Resolution

 

Upgrade Policy Server to 12.8SP6 in order to fix this issue.