Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11472

WS-Federation extended metadata import fails when using ssoadm

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.1, 14.1.0
    • Fix Version/s: 13.5.2, 14.1.2
    • Component/s: WS Federation
    • Labels:
    • Sprint:
      AM Sustaining Sprint 41
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      When you run the following ssoadm command to import the following WS-Federation Metadata files in 13.5.1

      ./SSOadmin13.5.1/openam/bin/ssoadm import-entity -u amadmin -f ~/pass.txt -e Staff -t StaffCoT -c wsfed -m WSFederation-MetaData-IDP.xml -x WSFederation-DataFile-IDP.xml

      The following exception was observed from the debug logs

      WARNING: ImportMetaData.importExtendedData
       javax.xml.bind.UnmarshalException
      
      with linked exception:
       [org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 146; unexpected root element (uri:"urn:sun:fm:wsfederation:1.0:federationconfig", local:"FederationConfig"). Expected elements are < {http://www.w3.org/2001/04/xmlenc#}
      EncryptionProperties>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      EncryptedData>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      EncryptionProperty>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      EncryptedKey>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      CipherData>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      AgreementMethod>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      CipherReference>,<
      
      {http://www.w3.org/2001/04/xmlenc#}
      ReferenceList>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      X509Data>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Signature>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      PGPData>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      DSAKeyValue>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SignatureMethod>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SPKIData>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      KeyInfo>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SignedInfo>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      RetrievalMethod>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      DigestMethod>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      DigestValue>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      CanonicalizationMethod>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SignatureProperties>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      MgmtData>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Object>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      KeyName>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      KeyValue>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Reference>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SignatureProperty>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Manifest>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      SignatureValue>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Transforms>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      RSAKeyValue>,<
      
      {http://www.w3.org/2000/09/xmldsig#}
      Transform>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Subject>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      EncryptedAssertion>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Advice>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      SubjectLocality>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Assertion>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AudienceRestriction>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Evidence>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Statement>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      SubjectConfirmationData>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthnContext>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Condition>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Conditions>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AttributeValue>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthnStatement>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AssertionURIRef>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AssertionIDRef>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      SubjectConfirmation>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthnContextClassRef>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Audience>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      ProxyRestriction>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Action>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      EncryptedID>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthenticatingAuthority>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthzDecisionStatement>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Issuer>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthnContextDeclRef>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      OneTimeUse>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      EncryptedAttribute>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      NameID>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      BaseID>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AttributeStatement>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      AuthnContextDecl>,<
      
      {urn:oasis:names:tc:SAML:2.0:assertion}
      Attribute>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      OrganizationDisplayName>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      Extensions>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      ServiceDescription>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      SPSSODescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      OrganizationURL>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      ContactPerson>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      PDPDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      OrganizationName>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      XACMLAuthzService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      NameIDFormat>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      IDPSSODescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      EntityDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      XACMLAuthzDecisionQueryDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      SingleLogoutService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      QueryDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      EntitiesDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      NameIDMappingService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      ArtifactResolutionService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AttributeService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AssertionConsumerService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      RequestedAttribute>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      Organization>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AuthzService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AuthnQueryService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      KeyDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      EncryptionMethod>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      XACMLPDPDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      ManageNameIDService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      GivenName>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AffiliateMember>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      SurName>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AttributeProfile>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      SingleSignOnService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      ServiceName>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      RoleDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AttributeAuthorityDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AuthnAuthorityDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      TelephoneNumber>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      EmailAddress>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AssertionIDRequestService>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AffiliationDescriptor>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AdditionalMetadataLocation>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      Company>,<
      
      {urn:oasis:names:tc:SAML:2.0:metadata}
      AttributeConsumingService>,<
      
      {urn:oasis:names:tc:SAML:metadata:attribute}
      EntityAttributes>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      AttributeQueryConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      AuthnAuthorityConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      SPSSOConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      EntityConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      IDPSSOConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      Attribute>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      AffiliationConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      PDPConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      AttributeAuthorityConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      XACMLAuthzDecisionQueryConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      XACMLPDPConfig>,<
      
      {urn:sun:fm:SAML:2.0:entityconfig}
      Value>]
      

       

      The error seem to imply that OpenAM does not recognize metadata specification ie ----spec or -c wsfed  in OpenAM 13.5.1

      You will get a similar error for example, if you mistype the --spec saml2 when you are importing ws-fed metadata

      Two points to highlight

      #1. There is no issue with --spec sam2 in OpenAM 13.5.1
      #2. It is working in OpenAM 13.5.0
      

       Workaround

       Use the import Entity option of the Federation screen

       

       

       

       

       

       

       

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                sam.phua Sam Phua
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: