[OPENAM-11082] NPE when IDP Proxy List in SP entity on IDP Proxy instance contains an invalid IDP entity id Created: 27/Apr/17  Updated: 22/Oct/18

Status: Open
Project: OpenAM
Component/s: SAML
Affects Version/s: 13.5.1, 6.0.0.4, 6.5.0, 5.5.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Nemanja Lukic Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: AME, Backlog, test-candidate
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screen.png    
Rank: 1|hztclz:

 Description   

IDP Proxy scenario requires SP entity on IDP Proxy instance to have IDP entity ID in the IDP Proxy List property. If the value provided is not a valid entity ID, the SSO process will result in an NPE, as follows:

java.lang.NullPointerException
        com.sun.identity.saml2.profile.IDPProxyUtil.sendProxyAuthnRequest(IDPProxyUtil.java:186)
        org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.redirectToAuth(UtilProxySAMLAuthenticator.java:557)
        org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:297)
        com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:236)
        com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:142)
        com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:102)
        org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:195)
        org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
        org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)


 Comments   
Comment by Ľubomír Mlích [ 17/Oct/18 ]

screen with error from 6.5.0-M9, notice how it shows code and also there is different line number after NPE 187 instead of 186

Comment by Ľubomír Mlích [ 17/Oct/18 ]

This chatty error is there when I add remote IDP proxy configuration to remote SP instead of local SP.

Comment by Nathalie Hoet [ 19/Oct/18 ]

Hi Ľubomír Mlích. I run some test and setting the IDP Proxy configuration on the local SP (I presume you mean the SP role of the idp proxy) is a misconfiguration. It does not perform the second leg of the federation; it is staying on the proxy instead of reaching the external IdP.

That makes sense that the config needs to be added to the remote SP, otherwise the external IdP would be the same for all the remote SPs, if it were determined by the proxy configuration. 

My expectation is that you saw the issue above by misconfiguring the value of the IdP in the proxy list (in the remote SP config). I tested it and it will produce the issue above indeed. 

Comment by Ľubomír Mlích [ 22/Oct/18 ]

Yes, I agree, problem is in misconfiguration as you said, thanks.

Generated at Tue Mar 02 14:31:44 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.