Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17342

Error 500 when meeting a SAML request from a SP that supports MD5

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 7.0.1
    • None
    • core, SAML
    • None
    • Rank:
      1|i03g9b:

      Description

      Bug description

      When AM (configured as IdP) receives a SAML request from a SP that supports MD5 as signature algorithm (according to its metadata), or another algorithm not supported by the AM underlying JCE, AM fails with an error 500 instead of ignoring that algorithm and trying the next SP supported one.

      How to reproduce the issue

       

      1. Configure AM as IdP
      2. Configure a SP that requests MD5 signature primarily and an AM supported signature algorithm secondarily.
      3. Play a SP initiated flow from a browser connected to the SP login page for example
      4. After successful authentication on AM, a "Server Error" page is displayed by AM
      Expected behaviour
      AM should ignore the unsupported signing algorithm and try the next one
      
      Current behaviour
      AM fails with an error 500 and the following stack trace in the Federation debug log:
      
      ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
      com.sun.identity.saml2.common.SAML2Exception: The algorithm URI "http://www.w3.org/2001/04/xmldsig-more#md5" could not be mapped to a JCE algorithm
      [CONTINUED]     at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:177)
      [CONTINUED]     at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:679)
      [CONTINUED]     at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2449)

      Work around

      Remove the algorithms that AM doesn't support from the SP config, export its metadata and reimport them in AM.

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

      org.forgerock.$className.java
      ...
      

        Attachments

          Activity

            People

            Unassigned Unassigned
            cgrosjean Cyril Grosjean
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: