Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15533

WS-Federation doesn't work with Authentication Trees

    Details

    • Sprint:
      AM Sustaining Sprint 68
    • Story Points:
      5
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      When the realm is configured with an Authentication Tree, and the WS_Fed is invoked, on successful authentication, a HTTP 500 is returned to the browser.

      The WS-Fed integration works if the realm authentication is changed to a standard chain (say ldapservice).

      How to reproduce the issue

      1. Setup a working WS-Fed integration (configure the default authentication for the realm to point to a chain to confirm this is working)
      2. Configure a simple Tree in the realm, such as username collector, password collector and datastore decision with transitions to success and failure
      3. Configure the authentication service for the realm to point to the new tree
      4. Invoke the WS-Fed endpoint (eg http://id.example.com:8080/am/WSFederationServlet/metaAlias/customers/wsfedidp?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline).
      Expected behaviour
      After authentication, the user is federated to the SP
      
      Current behaviour
      HTTP 500 - Internal Server Error is displayed in the browser with the following appearing in catalina.out:
      
      java.lang.NullPointerException
      	at com.sun.identity.wsfederation.servlet.IPSigninRequest.sendResponse(IPSigninRequest.java:278)
      	at com.sun.identity.wsfederation.servlet.IPSigninRequest.process(IPSigninRequest.java:171)
      	at com.sun.identity.wsfederation.servlet.WSFederationServlet.doGet(WSFederationServlet.java:72)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      

      Work around

      Add a "Set Session Properties" node in the tree before success, with the following key/value:

      "AuthType":<name of tree>

      Note that the value seems to be unimportant for the federation to succeed, but for best practice it should be set to something meaningful (i.e. the name of the tree that authenticated the user)

      Code analysis

      The reason for this is that in IPSigninRequest.sendResponse, the auth method ("authMethod") is retrieved from the session which maps somehow to "AuthType" in the session.

       

      com.sun.identity.wsfederation.servlet.IPSigninRequest
      ...
      String authMethod;        
      try {            
        authMethod = WSFederationUtils.sessionProvider.getProperty(session,   SessionProvider.AUTH_METHOD)[0];        
      } catch (SessionException se) {
                  throw new WSFederationException(se);        
      }
      
      

      When using chains/modules, this is the module that authenticated the user. However it is not set when using Trees and results in the NullPointerException.

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              bradley.tarisznyas Brad Tarisznyas
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: