Details
Major Description
Bug description
For some IDP that does not support SLO and hence the AuthnResponse does not have SessionIndex in their assertion. And according to SAML2 spec this is acceptable
SessionIndex [Optional] Specifies the index of a particular session between the principal identified by the subject and the authenticating authority.
Some examples of this is the Salesforce IDPs.
How to reproduce the issue
- Configure OpenAM as Hosted SP, and use AuthConsumer in ACS.
- Setup a Connect Application in Salesforce
- Export the IDP metadata from Salesforce
- Create a SAML authentication module in OpenAM
- Login in OpenAM with the above authentication module.
- You can force sessionIndex to non-existent by making the SP thinks there is no sessionindex in the response @ com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150) (thru a injecting debug)
Expected behaviour
SAML2 Auth module should work. Just that SLO is not possible
Current behaviour
Exception: java.lang.NullPointerException org.forgerock.util.Reject.ifNull(Reject.java:152) org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.<init>(SAML2ResponseData.java:41) org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:201) org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:126) org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:113) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36) org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80) com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
Work around
Use the legacy Federation (non-integrated SAML2 version)
Code analysis
org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.java
...org.forgerock.util.Reject.ifNull(Reject.java:152)
We should relax checking for null on this. If we fix this we also need to fix org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631) to avoid setting the property for SessionIdx as null. (put a null check condition). to avoid the below
javax.security.auth.login.LoginException: java.lang.NullPointerException
at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)
at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
at com.iplanet.dpro.session.service.InternalSession.internalPutProperty(InternalSession.java:861)
at com.iplanet.dpro.session.service.InternalSession.putProperty(InternalSession.java:822)
at com.sun.identity.authentication.spi.AMLoginModule.setUserSessionProperty(AMLoginModule.java:1713)
at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631)
at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2.java:508)
Debugging
You can focefully set sessionIndex to null at com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150)