Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17010

SAML IdP - NullPointerException in SAML SP-initiated SSO flow

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 6.5.0, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 7.0.0, 6.5.3, 7.1.0
    • None
    • SAML
    • None
    • Oracle JDK 1.8.0_201-b09
      Apache Tomcat 9.0.8
      AM 6.5.0
    • Rank:
      1|i02nw7:

      Description

      Bug description

      AM's deployment container shows 'internal server error' at the IdP while performing SP-initiated SSO flow

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure some SAML SP (e.g. AM 7.0.0 in integrated mode)
      2. Configure AM 6.5.0
      3. Configure hosted IdP for AM 6.5.0
      4. Create SAML trust between IdP and SP
      5. Perform SP-initated SSO via AM 7.0.0 integrated mode
      Expected behaviour
      SSO flow should succeed or at least AM login page should appear
      
      Current behaviour
      Internal Server error page of AM's deployment container is shown.
      
      excerpt of log file of AM 6.5.0 deployment container
      org.apache.jasper.JasperException: An exception occurred processing [saml2/jsp/idpSSOFederate.jsp] at line [92]
      
      89:      * It sends back a response containing error status if
      90:      * something is wrong during the request processing.
      91:      */
      92:     IDPSSOFederate.doSSOFederate(request, response, new PrintWriter(out, true), reqBinding, saml2Auditor);
      93: %>
      
      
      Stacktrace:
      	at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:593)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:482)
      	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
      	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.lambda$doFilter$0(DataStoreConsistencyFilter.java:46)
      	at org.forgerock.openam.service.datastore.ReentrantVolatileActionConsistencyController.safeExecute(ReentrantVolatileActionConsistencyController.java:37)
      	at org.forgerock.openam.services.datastore.DataStoreConsistencyFilter.doFilter(DataStoreConsistencyFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:412)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1385)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.NullPointerException
      	at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:145)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:238)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:144)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:104)
      	at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:202)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:444)
      	... 42 more
      

      Work around

      Set attribute AuthnRequestsSigned to false in SP meta data.

      Code analysis

      Source of 'master' (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-federation/openam-federation-library/src/main/java/org/forgerock/openam/saml2/UtilProxySAMLAuthenticator.java)

      org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.java
      ...
          @Override
          public void authenticate() throws FederatedSSOException, IOException {
              SPSSODescriptorType spSSODescriptor = null;
      ....
              //only verify signature based on whether this setting is enabled
              if (idpSSODescriptor.isWantAuthnRequestsSigned() || spSSODescriptor.isAuthnRequestsSigned()) {
      ...
      

      spSSODescriptor.isAuthnRequestsSigned() can be null

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              bthalmayr Bernhard Thalmayr
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: