Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13079

Import SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor fails

    Details

    • Sprint:
      AM Sustaining Sprint 51
    • Story Points:
      3
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      SAML2 Metadata that that have the namespace "xmlns:query" declared at the root may not work for RoleDescriptor element. When such a metadata is loaded the following exception may happen (this this is using "ssoadm.jsp")

      java.lang.NullPointerException
      	com.sun.identity.saml2.meta.SAML2MetaUtils.workaroundAbstractRoleDescriptor(SAML2MetaUtils.java:781)
      	com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(SAML2MetaUtils.java:677)
      	com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(SAML2MetaUtils.java:653)
      	com.sun.identity.federation.cli.ImportMetaData.importSAML2Metadata(ImportMetaData.java:419)
      	com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:225)
      	com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:143)
      	com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
      	com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
      	com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
      	com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:576)
      	com.sun.identity.cli.WebCLIHelper.processRequest(WebCLIHelper.java:151)
      	com.sun.identity.cli.WebCLIHelper.getHTML(WebCLIHelper.java:92)
      	org.apache.jsp.ssoadm_jsp._jspService(ssoadm_jsp.java:289)
      	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	org.forgerock.openam.audit.servlet.AuditAccessServletFilter.doFilter(AuditAccessServletFilter.java:62)
      

      The above may appear in the catalina.out (for ssoadm.jsp)

      It is seen that all the previous examples like fedlet would have in their RoleDescriptor element always have the namespace attribute xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" and so this issue is not seen.
       

      How to reproduce the issue

      A simplified example is using the following:

      <EntityDescriptor entityID="TEST" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" >
          <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/ArtifactResolver/metaAlias/"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloSoap/metaAlias/"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniSoap/metaAlias/"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/SSORedirect/metaAlias/"/>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/SSOPOST/metaAlias/"/>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/SSOSoap/metaAlias/"/>
              <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/NIMSoap/metaAlias/"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/IDPRole/metaAlias/"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/IDPRole/metaAlias/"/>
          </IDPSSODescriptor>
          <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/default/metaAlias/attra"/>
              <AttributeService ns1:supportsX509Query="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/x509Subject/metaAlias/attra" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:X509:query"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/AttrAuthRole/metaAlias/attra"/>
              <AttributeProfile>urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic</AttributeProfile>
          </AttributeAuthorityDescriptor>
          <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
          </RoleDescriptor>
      </EntityDescriptor>
      

      Some SAML2 provider like OracleCloud is known to provide these metadata:

      <?xml version="1.0"?>
      <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdext="urn:oasis:names:tc:SAML:metadata:extension" xmlns:ns10="urn:oasis:names:tc:SAML:profiles:v1metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="xxxxxxxx" cacheDuration="P30DT0H0M0S" entityID="....." validUntil="2027-09-20T16:48:35Z">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      

      and so the problem may be seen there.
      Steps to reproduce is:

      1. Import the above SAML2 metadata
      2. Observe the failure
      Expected behaviour
      Import should work
      
      Current behaviour
      Import fails either with no error but no entry is created
      

      Work around

      Observe that the <RoleDescriptor> seems not to able to resolve the namespace xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" . So the workaround is to add this namespace attribute to the RoleDescriptor

          <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
      xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
      

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

      SAML2MetaUtils.java
      ... Cannot create the xml ....
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: