Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11937

Federation UI does not allow empty NameIDMappingService

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • Component/s: console, SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 44
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Importing a Remote IDP saml which does not have NameIDMappingService.
      Then later goto the SAML2 service for the IDP and try to goto the Service
      tab and save or configure anything. This fails with Entity descriptor "saml-idp" under realm "/" has invalid syntax."

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create an IDP using the wizard
      2. Now export the IDP metadata and remove the NameIDMappingService from the exported metadata
      3. Now import the changed IDP metadata again (using ssoadm import-entity) say after removing this IDP.
      4. Test configuring other saml metadata property and when save the error is seen.

      Expected behaviour
      NameIDMappingService is optional and should be possible to be empty and not cause the UI to fail
      
      Current behaviour

      Error seen on UI

      Entity descriptor "......" under realm "/" has invalid syntax." 
      

      Exception seen when saving the settings on the Federation logs:

      at javax.xml.bind.helpers.AbstractMarshallerImpl.marshal(AbstractMarshallerImpl.java:116)
              at com.sun.identity.saml2.meta.SAML2MetaUtils.convertJAXBToString(SAML2MetaUtils.java:187)
              at com.sun.identity.saml2.meta.SAML2MetaUtils.convertJAXBToAttrMap(SAML2MetaUtils.java:221)
              at com.sun.identity.saml2.meta.SAML2MetaManager.setEntityDescriptor(SAML2MetaManager.java:406)
              at com.sun.identity.console.federation.model.SAMLv2ModelImpl.setIDPStdAttributeValues(SAMLv2ModelImpl.java:1231)
              at com.sun.identity.console.federation.SAMLv2IDPServicesViewBean.handleButton1Request(SAMLv2IDPServicesViewBean.java:109)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              ...
                      at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.xml.bind.serializer.AbortSerializationException
      
      java.lang.NullPointerException
      
              at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXMarshaller.repo
      
      rtError(SAXMarshaller.java:436)
      
              at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXMarshaller.text
      
      (SAXMarshaller.java:272)
      
              at com.sun.identity.saml2.jaxb.metadata.impl.EndpointTypeImpl.serializeAttributes(EndpointTypeImpl.java:88)
      ....
      
                      at com.sun.identity.saml2.jaxb.metadata.impl.IDPSSODescriptorElementImpl
      .serializeBody(IDPSSODescriptorElementImpl.java:43)
      

      other errors sent to Tomcat logs:

      DefaultValidationEventHandler: [ERROR]: a required field "Location" is missing an object 
           Location:  obj: com.sun.identity.saml2.jaxb.metadata.impl.NameIDMappingServiceElementImpl@2dca0f4a
      

      Work around

      Either do the config changes using export-entity/import-entity or set a bogus value (non-empty) for the NameIDMappingService.

      Code analysis

      SAML2vModel.java
      ... may need to avoid creating the NameIDMappingService when there is no value.
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: