-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.1, 14.0.0, 14.1.1, 14.5.0, 5.5.1
-
Labels:
-
Sprint:AM Sustaining Sprint 51
-
Story Points:3
-
Support Ticket IDs:
-
Verified Version/s:
-
Needs QA verification:Yes
-
Functional tests:No
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Bug description
SAML2 Metadata that that have the namespace "xmlns:query" declared at the root may not work for RoleDescriptor element. When such a metadata is loaded the following exception may happen (this this is using "ssoadm.jsp")
java.lang.NullPointerException com.sun.identity.saml2.meta.SAML2MetaUtils.workaroundAbstractRoleDescriptor(SAML2MetaUtils.java:781) com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(SAML2MetaUtils.java:677) com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(SAML2MetaUtils.java:653) com.sun.identity.federation.cli.ImportMetaData.importSAML2Metadata(ImportMetaData.java:419) com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:225) com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:143) com.sun.identity.cli.SubCommand.execute(SubCommand.java:296) com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217) com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139) com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:576) com.sun.identity.cli.WebCLIHelper.processRequest(WebCLIHelper.java:151) com.sun.identity.cli.WebCLIHelper.getHTML(WebCLIHelper.java:92) org.apache.jsp.ssoadm_jsp._jspService(ssoadm_jsp.java:289) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51) org.forgerock.openam.audit.servlet.AuditAccessServletFilter.doFilter(AuditAccessServletFilter.java:62)
The above may appear in the catalina.out (for ssoadm.jsp)
It is seen that all the previous examples like fedlet would have in their RoleDescriptor element always have the namespace attribute xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" and so this issue is not seen.
How to reproduce the issue
A simplified example is using the following:
<EntityDescriptor entityID="TEST" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" > <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/ArtifactResolver/metaAlias/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloSoap/metaAlias/"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniSoap/metaAlias/"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/SSORedirect/metaAlias/"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/SSOPOST/metaAlias/"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/SSOSoap/metaAlias/"/> <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/NIMSoap/metaAlias/"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/IDPRole/metaAlias/"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/IDPRole/metaAlias/"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/default/metaAlias/attra"/> <AttributeService ns1:supportsX509Query="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/x509Subject/metaAlias/attra" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:X509:query"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/AttrAuthRole/metaAlias/attra"/> <AttributeProfile>urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic</AttributeProfile> </AttributeAuthorityDescriptor> <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" > <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat> </RoleDescriptor> </EntityDescriptor>
Some SAML2 provider like OracleCloud is known to provide these metadata:
<?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdext="urn:oasis:names:tc:SAML:metadata:extension" xmlns:ns10="urn:oasis:names:tc:SAML:profiles:v1metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="xxxxxxxx" cacheDuration="P30DT0H0M0S" entityID="....." validUntil="2027-09-20T16:48:35Z"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
and so the problem may be seen there.
Steps to reproduce is:
- Import the above SAML2 metadata
- Observe the failure
Expected behaviour
Import should work
Current behaviour
Import fails either with no error but no entry is created
Work around
Observe that the <RoleDescriptor> seems not to able to resolve the namespace xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" . So the workaround is to add this namespace attribute to the RoleDescriptor
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
Code analysis
OPTIONAL - If you already investigated the code, please share your finding here (remove this text)
SAML2MetaUtils.java
... Cannot create the xml ....