Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11937

Federation UI does not allow empty NameIDMappingService


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • Component/s: console, SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 44
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Importing a Remote IDP saml which does not have NameIDMappingService.
      Then later goto the SAML2 service for the IDP and try to goto the Service
      tab and save or configure anything. This fails with Entity descriptor "saml-idp" under realm "/" has invalid syntax."

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create an IDP using the wizard
      2. Now export the IDP metadata and remove the NameIDMappingService from the exported metadata
      3. Now import the changed IDP metadata again (using ssoadm import-entity) say after removing this IDP.
      4. Test configuring other saml metadata property and when save the error is seen.

      Expected behaviour
      NameIDMappingService is optional and should be possible to be empty and not cause the UI to fail
      Current behaviour

      Error seen on UI

      Entity descriptor "......" under realm "/" has invalid syntax." 

      Exception seen when saving the settings on the Federation logs:

      at javax.xml.bind.helpers.AbstractMarshallerImpl.marshal(AbstractMarshallerImpl.java:116)
              at com.sun.identity.saml2.meta.SAML2MetaUtils.convertJAXBToString(SAML2MetaUtils.java:187)
              at com.sun.identity.saml2.meta.SAML2MetaUtils.convertJAXBToAttrMap(SAML2MetaUtils.java:221)
              at com.sun.identity.saml2.meta.SAML2MetaManager.setEntityDescriptor(SAML2MetaManager.java:406)
              at com.sun.identity.console.federation.model.SAMLv2ModelImpl.setIDPStdAttributeValues(SAMLv2ModelImpl.java:1231)
              at com.sun.identity.console.federation.SAMLv2IDPServicesViewBean.handleButton1Request(SAMLv2IDPServicesViewBean.java:109)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
                      at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.xml.bind.serializer.AbortSerializationException
              at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXMarshaller.repo
              at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXMarshaller.text
              at com.sun.identity.saml2.jaxb.metadata.impl.EndpointTypeImpl.serializeAttributes(EndpointTypeImpl.java:88)
                      at com.sun.identity.saml2.jaxb.metadata.impl.IDPSSODescriptorElementImpl

      other errors sent to Tomcat logs:

      DefaultValidationEventHandler: [ERROR]: a required field "Location" is missing an object 
           Location:  obj: com.sun.identity.saml2.jaxb.metadata.impl.NameIDMappingServiceElementImpl@2dca0f4a

      Work around

      Either do the config changes using export-entity/import-entity or set a bogus value (non-empty) for the NameIDMappingService.

      Code analysis

      ... may need to avoid creating the NameIDMappingService when there is no value.


          Issue Links



              • Assignee:
                chee-weng.chea C-Weng C
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: