Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14786

idpSingleLogoutPOST throws error 500 IllegalStateException on SLO


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.5.0, 6.5.1, 7.0.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 62
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When performing a SAML SP initiated SLO in a multi-protocol SLO, IDP returns error 500.  Web container logs indicate '_java.lang.IllegalStateException: Cannot forward after response has been committed' for idpSingleLogoutRedirect.jsp. 

      This is a duplicate of OPENAM-11225 in terms of symptoms, but failing at a different place within the jsp.

      How to reproduce the issue

      Have not been able to reproduce internally.  The following steps are those used to replicate OPENAM-14539 and create a test environment where OPENAM-11225 was also reproduced.


      Setup 4 AM instances, 7.0.0 snapshot, running in tomcat, accessed over http:

      1. IdP: idp.amtest2.com:9080 (cookie domain of idp.amtest2.com), port ranges of 59xxx
      2. SAML SP 1: sp.amtest2.com (sp.amtest2.com), port ranges of 57xxx
      3. SAML SP 2: sp.amtest2.com (openam2.amtest2.com), port ranges of 54xxx
      4. WS-Fed SP: openam.amtest2.com (openam.amtest2.com), port ranges of 50xxx

      SAML SSO configuration:

      1. In IdP, created a hosted IdP in top level realm, cot test_idp, signing key test and attribute mapping of mail -> mail.
      2. In SAML SP: created a hosted SP in top level realm, cot test_sp.  
      3. In SAML SP, created a remote IdP, using metadata url of http://idp.amtest2.com:9080/access/saml2/jsp/exportmetadata.jsp.
      4. in SAML IdP, created a remote SP, using attribute mapping of mail -> mail, using metadata url of: http://sp.amtest2.com:7080/access/saml2/jsp/exportmetadata.jsp.
      5. in SAML SP, edited hosted SP and set auto federation enabled, and attribute to be mail.  Set top level realm, Authentication settings -> User profile to be dynamic. 
      6. in IdP, for top level realm user demo, edited this and set an email address of demo@amtest2.com.
      7. Verified that an SP initiated SAML SSO succeeded: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp . I was redirected to IdP, logged in as demo user and then saw 'Single sign-on succeeded' on SP.
      8. Repeated steps 2 to 7 for the second SP, openam2.amtest2.com.

      WS-Fed configuration:

      1. On WS-Fed SP, in Admin console, navigated to top level realm, Federation and Legacy view.  Clicked New Entity, chose WS-Fed and then set /wsfedsp as the Entity Identifier and wsfedsp as the Service Provider -> Meta alias.  Clicked create.  Edited the resulting entity and set SP -> Attribute mapper to be *=.*  Unchecked Assertion signed.  Created COT test_sp and added the entity to this.
      2. On IdP, repeated above to create WS-Fed entity of /wsfedidp as the Entity Identifier and wsfedidp as the Identity Provider -> Meta Alias.  Added this to the existing test_idp COT.
      3. Installed ssoadm AM-SSOAdminTools- and configured to communicate with WS-Fed SP instance.  
      4. Repeated the above step to install ssoadm and configure to communicate with the IdP instance.
      5. Using ssoadm, exported the existing wsfedsp entity from the WS-Fed SP: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedsp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml.
      6. Edited the extended metadata file exported, to change 'hosted="true"' to 'hosted="false"'. Also changed the COT name from test_sp to test_idp.
      7. Using ssoadm for the IdP instance, repeated the above to export the WS-Fed IdP metadata: access/bin/ssoadm export-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -y /wsfedidp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml.
      8. From ssoadm instance for WS-Fed SP, imported metadata for remote WS-Fed IdP (ssoadm or later is needed for this to succeed): access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_sp -c wsfed -m /tmp/IdP_standard.xml -x /tmp/IdP_extended.xml
      9. From ssoadm instance for IdP, import the remote WS-Fed entities: access/bin/ssoadm import-entity -u amadmin -f /opt/ssoadm_5.5.1/passwd.txt -v -e / -t test_idp -c wsfed -m /tmp/SP_standard.xml -x /tmp/SP_extended.xml
      10. Tested WS-Fed SP initiated SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access

      Issue reproduction:

      1. Perform a WS-Fed SSO: http://openam.amtest2.com:8080/access/WSFederationServlet/metaAlias/wsfedsp?goto=http://openam.amtest2.com:8080/access
      2. In separate tab, same browser (so same session can be shared), perform SAML SSO: http://sp.amtest2.com:7080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      3. In a third tab, perform SAML SSO from second SP: http://openam2.amtest2.com:4080/access/saml2/jsp/spSSOInit.jsp?idpEntityID=http://idp.amtest2.com:9080/access&metaAlias=/sp
      4. Then in browser tab for first SAML SP above, perform SP initiated SLO using POST binding: http://sp.amtest2.com:7080/access/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.amtest2.com%3A9080%2Faccess&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      Expected behaviour
      End user should see message 'SP initiated single logout succeeded'.
      Current behaviour
      In AM 5.5.1, Customer reported seeing error 500, with container log file showing:
      Caused by: java.lang.IllegalStateException: Cannot forward after response has been committed
      	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:328)
      	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318)
      	at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:741)
      	at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:711)
      	at org.apache.jsp.saml2.jsp.idpSingleLogoutPOST_jsp._jspService(idpSingleLogoutPOST_jsp.java:188)

      Work around


      Code analysis

      Similar fix as for OPENAM-11225 and OPENAM-14740 but related to using the POST binding, not redirect.




            • Assignee:
              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: