-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 14.1.0, 14.1.1, 14.5.0
-
Component/s: authentication, SAML
-
Labels:
Bug description
For some IDP that does not support SLO and hence the AuthnResponse does not have SessionIndex in their assertion. And according to SAML2 spec this is acceptable
SessionIndex [Optional] Specifies the index of a particular session between the principal identified by the subject and the authenticating authority.
Some examples of this is the Salesforce IDPs.
How to reproduce the issue
- Configure OpenAM as Hosted SP, and use AuthConsumer in ACS.
- Setup a Connect Application in Salesforce
- Export the IDP metadata from Salesforce
- Create a SAML authentication module in OpenAM
- Login in OpenAM with the above authentication module.
- You can force sessionIndex to non-existent by making the SP thinks there is no sessionindex in the response @ com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150) (thru a injecting debug)
Expected behaviour
SAML2 Auth module should work. Just that SLO is not possible
Current behaviour
Exception: java.lang.NullPointerException org.forgerock.util.Reject.ifNull(Reject.java:152) org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.<init>(SAML2ResponseData.java:41) org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:201) org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:126) org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:113) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36) org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80) com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
Work around
Use the legacy Federation (non-integrated SAML2 version)
Code analysis
org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.java
...org.forgerock.util.Reject.ifNull(Reject.java:152)
We should relax checking for null on this. If we fix this we also need to fix org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631) to avoid setting the property for SessionIdx as null. (put a null check condition). to avoid the below
javax.security.auth.login.LoginException: java.lang.NullPointerException at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011) at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006) at com.iplanet.dpro.session.service.InternalSession.internalPutProperty(InternalSession.java:861) at com.iplanet.dpro.session.service.InternalSession.putProperty(InternalSession.java:822) at com.sun.identity.authentication.spi.AMLoginModule.setUserSessionProperty(AMLoginModule.java:1713) at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631) at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2.java:508)
Debugging
You can focefully set sessionIndex to null at com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150)