Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17342

Error 500 when meeting a SAML request from a SP that supports MD5



    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 7.0.1
    • None
    • core, SAML
    • None
    • Rank:


      Bug description

      When AM (configured as IdP) receives a SAML request from a SP that supports MD5 as signature algorithm (according to its metadata), or another algorithm not supported by the AM underlying JCE, AM fails with an error 500 instead of ignoring that algorithm and trying the next SP supported one.

      How to reproduce the issue


      1. Configure AM as IdP
      2. Configure a SP that requests MD5 signature primarily and an AM supported signature algorithm secondarily.
      3. Play a SP initiated flow from a browser connected to the SP login page for example
      4. After successful authentication on AM, a "Server Error" page is displayed by AM
      Expected behaviour
      AM should ignore the unsupported signing algorithm and try the next one
      Current behaviour
      AM fails with an error 500 and the following stack trace in the Federation debug log:
      ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
      com.sun.identity.saml2.common.SAML2Exception: The algorithm URI "http://www.w3.org/2001/04/xmldsig-more#md5" could not be mapped to a JCE algorithm
      [CONTINUED]     at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:177)
      [CONTINUED]     at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:679)
      [CONTINUED]     at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2449)

      Work around

      Remove the algorithms that AM doesn't support from the SP config, export its metadata and reimport them in AM.

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)





            Unassigned Unassigned
            cgrosjean Cyril Grosjean
            0 Vote for this issue
            2 Start watching this issue