Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13045

SAML2 IDP initiated SSO with HTTP-POST binding fails if certificate is not defined

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:

      Description

      Bug description

      When SAML2 IdP initiated SSO is used with HTTP-POST binding, HTTP code 400 is observed with the following message:

      HTTP Status 400 - Error processing AuthnRequest. The private key was null.

       

      libSAML2:05/02/2018 11:09:22:975 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[86ccb8b5-a8a7-4468-9c56-7aff67279478-30945]
      ERROR: FMSigProvider.sign: The private key was null.
      libSAML2:05/02/2018 11:09:22:975 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[86ccb8b5-a8a7-4468-9c56-7aff67279478-30945]
      ERROR: Error processing request
      com.sun.identity.saml2.common.SAML2Exception: The private key was null.
      at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:139)
      at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:691)
      at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2500)
      at com.sun.identity.saml2.profile.IDPSSOUtil.signAndEncryptResponseComponents(IDPSSOUtil.java:2576)
      at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponse(IDPSSOUtil.java:729)
      at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:523)
      at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:364)
      at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:199)
      at org.apache.jsp.saml2.jsp.idpSSOInit_jsp._jspService(idpSSOInit_jsp.java:192)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:112)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
      at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
      at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:789)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
      at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.lang.Thread.run(Thread.java:745)

       

      How to reproduce the issue

      1. install two AM instances
      2. configure the first one as hosted IdP without specifying the certificate name
      3. configure the second one as hosted SP in a different domain without specifying the certificate name
      4. import the metadata from IdP to SP, and vice versa
      5. add both instances to the circle of trust (to be performed on both IdP and SP)
      6. hit the IdP initiated SSO URL using HTTP-POST binding, for example: http://idp.example.com:8080/openam/idpssoinit?metaAlias=/idp&spEntityID=sp_instance&binding=HTTP-POST
      Expected behaviour
      SSO established
      Current behaviour
      HTTP Status 400 - Error processing AuthnRequest. The private key was null.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                n4al Nemanja Lukic
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: