Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11968

SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex

    Details

    • Sprint:
      AM Sustaining Sprint 44
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      For some IDP that does not support SLO and hence the AuthnResponse does not have SessionIndex in their assertion. And according to SAML2 spec this is acceptable

      SessionIndex [Optional]
      Specifies the index of a particular session between the principal identified by the subject and the authenticating authority.
      

      Some examples of this is the Salesforce IDPs.

      How to reproduce the issue

      1. Configure OpenAM as Hosted SP, and use AuthConsumer in ACS.
      2. Setup a Connect Application in Salesforce
      3. Export the IDP metadata from Salesforce
      4. Create a SAML authentication module in OpenAM
      5. Login in OpenAM with the above authentication module.
      • You can force sessionIndex to non-existent by making the SP thinks there is no sessionindex in the response @ com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150) (thru a injecting debug)
      Expected behaviour
      SAML2 Auth module should work. Just that SLO is not possible
      
      Current behaviour
      Exception:
      
      java.lang.NullPointerException
      	org.forgerock.util.Reject.ifNull(Reject.java:152)
      	org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.<init>(SAML2ResponseData.java:41)
      	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:201)
      	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:126)
      	org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:113)
      	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
      	org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
      

      Work around

      Use the legacy Federation (non-integrated SAML2 version)

      Code analysis

      org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.java
      ...org.forgerock.util.Reject.ifNull(Reject.java:152)
      

      We should relax checking for null on this. If we fix this we also need to fix org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631) to avoid setting the property for SessionIdx as null. (put a null check condition). to avoid the below

      javax.security.auth.login.LoginException: java.lang.NullPointerException
              at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)
              at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
              at com.iplanet.dpro.session.service.InternalSession.internalPutProperty(InternalSession.java:861)
              at com.iplanet.dpro.session.service.InternalSession.putProperty(InternalSession.java:822)
              at com.sun.identity.authentication.spi.AMLoginModule.setUserSessionProperty(AMLoginModule.java:1713)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2.java:508)
      

      Debugging
      You can focefully set sessionIndex to null at com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150)

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
              QA Assignee:
              Filip Kubáň
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: