Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14234

NullPointerException in SP-initiated SSO if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned'

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2
    • None
    • SAML
    • Rank:
      1|hzxebz:

      Description

      Bug description

      When IDPSSODescriptor does not include optional attribute 'WantAuthnRequestSigned' , then it can not be used by AM , e.g. when performing SP-initiated SSO.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure AM
      2. Create Hosted SP via console dashboard task
      3. Register remote IdP via console dashboard task, IdP-URL: 'https://idp-test.feide.no/simplesaml/saml2/idp/metadata.php'
      4. Try to view IdP entity (https://idp-test.feide.no)
      Expected behaviour
      SP-initiated SSO should be triggered
      
      Current behaviour
      HTTP Status 400 ? Bad Request is shown
      
      excerpt from Federation debug log of AM 6.5.0
      libSAML2:01/07/2019 02:13:27:359 PM CET: Thread[http-nio-8080-exec-8,5,main]: TransactionId[1f2546d8-9f84-48e3-834e-b2f314c96597-1788285]
      
      ERROR: Error processing Request 
      
      java.lang.NullPointerException
      
          at com.sun.identity.saml2.profile.SPSSOFederate.getRedirect(SPSSOFederate.java:381)
      
          at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:311)
      
          at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:156)
      
          at org.apache.jsp.saml2.jsp.spSSOInit_jsp._jspService(spSSOInit_jsp.java:213)
      
          at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
      
          at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
      
          at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
      
          at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
      
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
      
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      
          at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      
          at org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.lambda$doFilter$0(DataStoreConsistencyFilter.java:46)
      
          at org.forgerock.openam.service.datastore.ReentrantVolatileActionConsistencyController.safeExecute(ReentrantVolatileActionConsistencyController.java:37)
      
          at org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.doFilter(DataStoreConsistencyFilter.java:46)
      
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      
          at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      

      Work around

      export IdP entity metadata via 'ssoadm export-entity ...'

      update IDPSSODescriptor to include attribute WantAuthnRequestsSigned="false"

      delete entity via 'ssoadm delete-entity ...'

      re-import entity meta data via 'ssoadm ...'

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              bthalmayr Bernhard Thalmayr
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: