Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7428

OpenAM IdP should support SOAP 1.2 when using the SAML ECP profile

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 12.0.2, 13.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      Windows 7 SP1 + Office 2016 (Outlook 2016, Skype Enterprise 2016, Word, Excel ...2016) on the client side
      OpenAM 12.0.2 + Tomcat 7.0.40 + JDK 1.7.0_45 + Ubuntu 12.04.4 LTS 32 bits on the server side

      Description

      I've a setup with an Office365 domain configured to delegate authentication to an external SAML IdP. The configured SAML IdP is an OpenAM 12.0.2 instance.
      When I try to authenticate in the Skype Enterprise 2016 rich client, it actually generates a SOAP 1.2 request to OpenAM, thus with Mime-Type header set to application/soap+xml.
      OpenAM seems to expect a SOAP 1.1 request, as stated in the OpenAM debug log, and thus the authentication from Skype fails:

      libSAML:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      HttpRequest content length= 1598
      libIDFF:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      FSUtils.getRemoteServiceURLs: requestURL = https://ois.openrock.org:8443
      libIDFF:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      FSUtils.getRemoteServiceURLs: servers=[https://ois.openrock.org:443/openam], siteList=[https://ois.openrock.org:8443/openam]
      libIDFF:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      FSUtils.getRemoteServiceURLs: new servers=[https://ois.openrock.org:443/openam]
      libIDFF:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      FSUtils.getRemoteServiceURLs: remoteServiceURLs = []
      libPlugins:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      ConfigurationInstanceImpl.getAllConfigurationNames: realm = /demo, componentName = SAML2
      libSAML2:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaCache.getEntityConfig: cacheKey = /demo//attrs.openrock.org, found = true
      libSAML2:11/13/2015 08:28:47:218 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: attrs.openrock.org
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaCache.getEntityConfig: cacheKey = /demo//google.com/a/openrock.org, found = true
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: google.com/a/openrock.org
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaCache.getEntityConfig: cacheKey = /demo//https://ois.openrock.org:8443/openam, found = true
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: https://ois.openrock.org:8443/openam
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaCache.getEntityDescriptor: cacheKey = /demo//https://ois.openrock.org:8443/openam, found = true
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache https://ois.openrock.org:8443/openam
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaCache.getEntityConfig: cacheKey = /demo//https://ois.openrock.org:8443/openam, found = true
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: https://ois.openrock.org:8443/openam
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Utils.getIDPAdapterClass:  uses com.sun.identity.saml2.plugins.DefaultIDPAdapter
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Utils.getIDPAdapterClass:  got the IDPAdapter from cache
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=connection, value=Keep-Alive
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=content-type, value=application/soap+xml
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=accept, value=*/*
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=user-agent, value=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; Win64; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MSOIDCRL 7.250.4556.0; App lync.exe, 16.0.6001.0, {12B07E85-1B47-41C4-A4E2-43B0C66A0CF6})
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=content-length, value=1598
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header name=host, value=ois.openrock.org:8443
      libSAML2:11/13/2015 08:28:47:219 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.getHeaders: Header=javax.xml.soap.MimeHeaders@aa7698
      libSAML2:11/13/2015 08:28:47:222 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      ERROR: IDPSSOFederate.getAuthnRequest:
      com.sun.xml.messaging.saaj.SOAPExceptionImpl: Unable to internalize message
      	at com.sun.xml.messaging.saaj.soap.MessageImpl.init(MessageImpl.java:483)
      	at com.sun.xml.messaging.saaj.soap.MessageImpl.<init>(MessageImpl.java:286)
      	at com.sun.xml.messaging.saaj.soap.ver1_1.Message1_1Impl.<init>(Message1_1Impl.java:78)
      	at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl.createMessage(SOAPMessageFactory1_1Impl.java:72)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.getAuthnRequest(IDPSSOFederate.java:1166)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:294)
      	at com.sun.identity.saml2.servlet.IDPSingleSignOnServiceSOAP.doPost(IDPSingleSignOnServiceSOAP.java:54)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:744)
      Caused by: com.sun.xml.messaging.saaj.soap.SOAPVersionMismatchException: Cannot create message: incorrect content-type for SOAP version. Got: application/soap+xml Expected: text/xml
      	at com.sun.xml.messaging.saaj.soap.MessageImpl.init(MessageImpl.java:364)
      	... 30 more
      
      CAUSE:
      
      com.sun.xml.messaging.saaj.soap.SOAPVersionMismatchException: Cannot create message: incorrect content-type for SOAP version. Got: application/soap+xml Expected: text/xml
      	at com.sun.xml.messaging.saaj.soap.MessageImpl.init(MessageImpl.java:364)
      	at com.sun.xml.messaging.saaj.soap.MessageImpl.<init>(MessageImpl.java:286)
      	at com.sun.xml.messaging.saaj.soap.ver1_1.Message1_1Impl.<init>(Message1_1Impl.java:78)
      	at com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl.createMessage(SOAPMessageFactory1_1Impl.java:72)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.getAuthnRequest(IDPSSOFederate.java:1166)
      	at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:294)
      	at com.sun.identity.saml2.servlet.IDPSingleSignOnServiceSOAP.doPost(IDPSingleSignOnServiceSOAP.java:54)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:744)
      
      libSAML2:11/13/2015 08:28:47:224 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.putHeaders: Header=javax.xml.soap.MimeHeaders@17ee487
      libSAML2:11/13/2015 08:28:47:224 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.putHeaders: Header name=Accept, value=[text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2]
      libSAML2:11/13/2015 08:28:47:224 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.putHeaders: Header name=Content-Type, value=[text/xml; charset=utf-8]
      libSAML2:11/13/2015 08:28:47:224 AM UTC: Thread[http-bio-8443-exec-2,5,main]
      SAML2Util.putHeaders: Header name=Content-Length, value=[273]
      amLog:11/13/2015 08:29:02:000 AM UTC: Thread[SystemTimer,5,main]
      amSSO.access:FileHandler:TimeBufferingTask.run() called
      amLog:11/13/2015 08:29:02:000 AM UTC: Thread[SystemTimer,5,main]
      amSSO.access:FileHandler.flush: no records in buffer to write
      

      SOAP 1.2 is not so recent and moreover, according to this JIRA ticket, it's already supported in OpenDJ DSML gateway: https://bugster.forgerock.org/jira/browse/OPENDJ-1187

      So, at least to be consistent across the whole Forgerock software stack, OpenAM should support SOAP 1.2.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              cgrosjean Cyril Grosjean
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: