screen.png
[OPENAM-11082] NPE when IDP Proxy List in SP entity on IDP Proxy instance contains an invalid IDP entity id Created: 27/Apr/17 Updated: 22/Oct/18 |
|
| Status: | Open |
| Project: | OpenAM |
| Component/s: | SAML |
| Affects Version/s: | 13.5.1, 6.0.0.4, 6.5.0, 5.5.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Nemanja Lukic | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | AME, Backlog, test-candidate | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
screen.png
|
| Rank: | 1|hztclz: |
| Description |
|
IDP Proxy scenario requires SP entity on IDP Proxy instance to have IDP entity ID in the IDP Proxy List property. If the value provided is not a valid entity ID, the SSO process will result in an NPE, as follows:
java.lang.NullPointerException
com.sun.identity.saml2.profile.IDPProxyUtil.sendProxyAuthnRequest(IDPProxyUtil.java:186)
org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.redirectToAuth(UtilProxySAMLAuthenticator.java:557)
org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:297)
com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:236)
com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:195)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
|
| Comments |
| Comment by Ľubomír Mlích [ 17/Oct/18 ] |
|
screen with error from 6.5.0-M9, notice how it shows code and also there is different line number after NPE 187 instead of 186 |
| Comment by Ľubomír Mlích [ 17/Oct/18 ] |
|
This chatty error is there when I add remote IDP proxy configuration to remote SP instead of local SP. |
| Comment by Nathalie Hoet [ 19/Oct/18 ] |
|
Hi Ľubomír Mlích. I run some test and setting the IDP Proxy configuration on the local SP (I presume you mean the SP role of the idp proxy) is a misconfiguration. It does not perform the second leg of the federation; it is staying on the proxy instead of reaching the external IdP. That makes sense that the config needs to be added to the remote SP, otherwise the external IdP would be the same for all the remote SPs, if it were determined by the proxy configuration. My expectation is that you saw the issue above by misconfiguring the value of the IdP in the proxy list (in the remote SP config). I tested it and it will produce the issue above indeed. |
| Comment by Ľubomír Mlích [ 22/Oct/18 ] |
|
Yes, I agree, problem is in misconfiguration as you said, thanks. |
