Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12514

IdP initiated SSO - NumberFormatException is raised in session upgrade case

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0
    • Fix Version/s: 6.5.0, 6.0.1, 5.5.2
    • Component/s: SAML
    • Labels:
    • Environment:
    • Target Version/s:
    • Rank:
      1|hzkkpb:
    • Sprint:
      AM Sustaining Sprint 51, AM Sustaining Sprint 52
    • Story Points:
      2
    • Support Ticket IDs:
    • Needs QA verification:
      No

      Description

      Bug description

      Federation debug log shows java.lang.NumberFormatException: For input string: "/:10"

      How to reproduce the issue

      1. Configure AM as hosted IdP
      2. Configure some remote SAML SP (e.g. samle app from Spring SAML security extension)
      3. configure auth-chain 'dataStoreService' with DataStore auth module instance as required module
      4. set auth level of DataStore auth module instance to '5'
      5. set auth level of LDAP auth module instance to '10'
      6. re-configure auth-chain 'ldapService' to use LDAP auth module (yeah that would make sense by default as a data store could be any implementation)
      7. set admin-authenticator of root realm to 'dataStoreService'
      8. perform service based auth for 'dataStoreService' (.../am/XUI/#login?realm=/&authIndexType=service&authIndexValue=dataStoreService)
      9. authenticate as 'demo' user
      10. perform session upgrade using 'ldapService' (.../am/XUI/#login?realm=/&authIndexType=service&authIndexValue=ldapService)
      11. authenticate as 'demo' user
      12. set debug level to 'message'
      13. perform IdP-initated SSO
      Expected behaviour
      No NumberFormatException should be raised
      Current behaviour
      Federation debug log shows java.lang.NumberFormatException: For input string: "/:10"

      Although IdP initiated SSO seems to works in general the message is quite irritating.

      Potentially there are some side effects as well.

      excerpt from Federation debug log
      libSAML2:02/27/2018 09:32:05:259 PM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[9064b79a-8bc6-4485-9a4a-2ae1f733623f-1882]
DefaultIDPAuthnContextMapper.getAuthnContextFromLevel: input authLevel is not valid.
java.lang.NumberFormatException: For input string: "/:10"
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
	at java.lang.Integer.parseInt(Integer.java:569)
	at java.lang.Integer.parseInt(Integer.java:615)
	at com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper.getAuthnContextFromAuthLevel(DefaultIDPAuthnContextMapper.java:206)
	at com.sun.identity.saml2.profile.IDPSSOUtil.getAuthnStatement(IDPSSOUtil.java:1203)
	at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:913)
	at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(IDPSSOUtil.java:821)
	at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:473)
	at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:370)
	at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:199)
	at org.apache.jsp.saml2.jsp.idpSSOInit_jsp._jspService(idpSSOInit_jsp.java:192)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-6776 SAML authentication can fail with NumberFormatException

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-15368 SAML2 federation fails when doing Session upgrade with NumberFormatException

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                sfraser Sam Fraser
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: