OpenAM x MalwareBytes SSO

[neel-quantasis]

Malware Bytes SP Metadata (Ids modified for privacy)

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:cognito:sp:us-east-1_1234">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  Location="http://www.example2.local:3000/logout/callback"/>

    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="0"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="1"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="2"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="3"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="https://ipi-intg-gatekeeper-prod.mwbsys.com/api/v1/sso/saml/acs/1234" index="4"/>
   </SPSSODescriptor>
  <ContactPerson contactType="technical">
    <GivenName>Administrator</GivenName>
    <EmailAddress>noreply@example.org</EmailAddress>
  </ContactPerson>
</EntityDescriptor>

Steps:

1. Create COT : https://scribehow.com/shared/How_to_Create_a_Circle_of_Trust_in_OpenAM__XUI7nRCpR9at1Ly2jZLtBA
2. Create IDP : https://scribehow.com/shared/Add_Entity_Provider_in_OpenAM_Admin_Interface__inTb644qRfSoqNlposJlQQ
3. Create SP using above mentioned XML : https://scribehow.com/shared/How_To_Add_An_Entity_Provider_In_OpenAM__K-gfI7UyRy2vM6YC007Rrg
4. Configure assertion properties as mentioned by MalwareBytes
   
5. Create tokenId for user (that has same email id in Malware Bytes)

curl --location --request POST 'http://redhatnew.convertcurrency.online:8080/openam/json/realms/root/authenticate' \
--header 'X-OpenAM-Username: user' \
--header 'X-OpenAM-Password: password' \
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: resource=2.1'

6. Perform IDP Initiated flow with user's tokenId

curl --location 'http://redhatnew.convertcurrency.online:8080/openam/idpssoinit?metaAlias=%2Fidp&spEntityID=urn%3Aamazon%3Acognito%3Asp%3Aus-east-1_1234&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST' \
--header 'iplanetDirectoryPro: tokenId' \
--header 'Accept: application/json'

After performing these steps, I get redirected to MalwareBytes link and then get redirected back to OpenAM site on the login page

Am I missing something?

[maximthomas]

As the third-party SP redirects back to OpenAM for login, the issue could be with the SP itself.
Could you reproduce the issue using another instance of OpenAM as a Service Provider?
https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Setup-SAMLv2-Federation-in-OpenAM