[OPENAM-11968] SAML2 Auth Module does not accept SAML2 AuthResponse with no SessionIndex Created: 19/Oct/17  Updated: 09/Apr/18  Resolved: 25/Oct/17

Status: Resolved
Project: OpenAM
Component/s: authentication, SAML
Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 14.1.0, 14.1.1, 14.5.0
Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzuj6v:
Sprint: AM Sustaining Sprint 44
Story Points: 2
Needs backport:
Yes
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

For some IDP that does not support SLO and hence the AuthnResponse does not have SessionIndex in their assertion. And according to SAML2 spec this is acceptable

SessionIndex [Optional]
Specifies the index of a particular session between the principal identified by the subject and the authenticating authority.

Some examples of this is the Salesforce IDPs.

How to reproduce the issue

  1. Configure OpenAM as Hosted SP, and use AuthConsumer in ACS.
  2. Setup a Connect Application in Salesforce
  3. Export the IDP metadata from Salesforce
  4. Create a SAML authentication module in OpenAM
  5. Login in OpenAM with the above authentication module.
  • You can force sessionIndex to non-existent by making the SP thinks there is no sessionindex in the response @ com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150) (thru a injecting debug)
Expected behaviour
SAML2 Auth module should work. Just that SLO is not possible
Current behaviour
Exception:

java.lang.NullPointerException
	org.forgerock.util.Reject.ifNull(Reject.java:152)
	org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.<init>(SAML2ResponseData.java:41)
	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.getUrl(SAML2Proxy.java:201)
	org.forgerock.openam.authentication.modules.saml2.SAML2Proxy.processSamlResponse(SAML2Proxy.java:126)
	org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:113)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
	org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)

Work around

Use the legacy Federation (non-integrated SAML2 version)

Code analysis

org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData.java
...org.forgerock.util.Reject.ifNull(Reject.java:152)

We should relax checking for null on this. If we fix this we also need to fix org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631) to avoid setting the property for SessionIdx as null. (put a null check condition). to avoid the below

javax.security.auth.login.LoginException: java.lang.NullPointerException
        at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)
        at java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
        at com.iplanet.dpro.session.service.InternalSession.internalPutProperty(InternalSession.java:861)
        at com.iplanet.dpro.session.service.InternalSession.putProperty(InternalSession.java:822)
        at com.sun.identity.authentication.spi.AMLoginModule.setUserSessionProperty(AMLoginModule.java:1713)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionProperties(SAML2.java:631)
        at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2.java:508)

Debugging
You can focefully set sessionIndex to null at com.sun.identity.saml2.assertion.impl.AuthnStatementImpl.parseElement(AuthnStatementImpl.java:150)



 Comments   
Comment by Filip Kubáň [X] (Inactive) [ 02/Nov/17 ]

Verified on OpenAM 13.5.2-M8 Build 1e79511bcb (2017-October-30 15:13)

no exception encountered, auth module is working

Comment by Filip Kubáň [X] (Inactive) [ 14/Nov/17 ]

Verified on OpenAM 14.1.2-M2 Build e8116f5a64 (2017-November-06 11:10)

no exception encountered, auth module is working

Generated at Tue Mar 02 13:26:13 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.