Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18040

"same site patch" breaks SAML2 authentication node



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.3
    • None
    • Rank:


      Bug description

      Latest SAML2 authentication node from backstage fails on Apache Tomcat 7 when "same site patch" is applied.

      How to reproduce the issue

      1. Configure 3 name-based virtual hosts on Apache http server
      2. Configure SSL/TLS on Apache http server
      3. Use AJP to proxy to upstream Apache Tomcat 7
      4. Create 3 realms in AM, test-idp-saml, test-sp-saml, idbroker and assign the FQDNs appropriately as DNS alias
      5. In realm test-idp-saml create a hosted IdP
      6. In realm test-sp-saml create a hosted SP
      7. In realm idbroker create a hosted IdP and hosted SP
      8. Configure the hosted IdP of realm idbroker as remote IdP in realm _test-sp-saml
      9. Configure the hosted SP of realm idbroker as remote SP in realm test-idp-saml
      10. Configure the hosted IdP of realm test-idp-saml as remote IdP in realm idbroker
      11. Configure the hosted SP of realm test-sp-saml as remote SP in realm idbroker
      12. Configure SAML2 authentication node in realm test-sp-saml and realm idbroker
      13. Use NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' in the SAML2 authentication modules in realm test-sp-saml and idbroke
      14. Configure "secure cookies" to get 'same site' cookie properties set
      15. Trigger authentication in realm test-sp-saml via FQDN 1
      16. Authenticate in realm test-idp-saml via FQDN 3
      Expected behaviour
      Authentication delegation via SAML should work
      Current behaviour
      Delegation fails with Nullpointer exception
      exception from Tomcat log
      Caused by: java.lang.NullPointerException
              at java.lang.String.<init>(String.java:566)
              at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getLocationValue(SAML2Proxy.java:290)
              at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrlWithKey(SAML2Proxy.java:231)
              at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:219)
              at org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:127)
              at org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:120)
              at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
              at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:467)
              ... 44 more

      This happens because the value of the authenticationStep cookie is not base64 encoded.


          Issue Links



              Unassigned Unassigned
              bthalmayr Bernhard Thalmayr
              0 Vote for this issue
              1 Start watching this issue