[OPENAM-12334] Unable to create Saml2Entity using Amster Created: 17/Jan/18  Updated: 13/Jun/18  Resolved: 13/Jun/18

Status: Closed
Project: OpenAM
Component/s: Amster
Affects Version/s: 5.5.1
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Brad Tarisznyas Assignee: Unassigned
Resolution: Not a defect Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Support Ticket IDs:

 Description   

Bug description

Using the Amster "create Saml2Entity" fails resulting in an error similar to this:

Failed to execute the 'create' command. Unexpected character ('1' (code 49)): was expecting comma to separate Object entries.

Amster requires that the body be specified in the --body argument on the command line which seems to cause parsing issues with XML data contained within entity and metadata.

Attempted to use various inputs in the body, but all have failed. eg:

create Saml2Entity --realm customers --body '{"metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><EntityDescriptor entityID=\"http://id.example.com:8080\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">    <IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">        <KeyDescriptor use=\"signing\">            <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">                <ds:X509Data>                    <ds:X509Certificate>MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9</ds:X509Certificate>                </ds:X509Data>            </ds:KeyInfo>        </KeyDescriptor>        <ArtifactResolutionService index=\"0\" isDefault=\"true\" Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/am/ArtifactResolver/metaAlias/customers/idp\"/>        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://id.example.com:8080/IDPSloRedirect/metaAlias/customers/idp\" ResponseLocation=\"http://id.example.com:8080/IDPSloRedirect/metaAlias/customers/idp\"/>        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://id.example.com:8080/IDPSloPOST/metaAlias/customers/idp\" ResponseLocation=\"http://id.example.com:8080/IDPSloPOST/metaAlias/customers/idp\"/>        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/IDPSloSoap/metaAlias/customers/idp\"/>        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://id.example.com:8080/IDPMniRedirect/metaAlias/customers/idp\" ResponseLocation=\"http://id.example.com:8080/IDPMniRedirect/metaAlias/customers/idp\"/>        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://id.example.com:8080/IDPMniPOST/metaAlias/customers/idp\" ResponseLocation=\"http://id.example.com:8080/IDPMniPOST/metaAlias/customers/idp\"/>        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/IDPMniSoap/metaAlias/customers/idp\"/>        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://id.example.com:8080/SSORedirect/metaAlias/customers/idp\"/>        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://id.example.com:8080/am/SSOPOST/metaAlias/customers/idp\"/>        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/SSOSoap/metaAlias/customers/idp\"/>        <NameIDMappingService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/NIMSoap/metaAlias/customers/idp\"/>        <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://id.example.com:8080/AIDReqSoap/IDPRole/metaAlias/customers/idp\"/>        <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:URI\" Location=\"http://id.example.com:8080/AIDReqUri/IDPRole/metaAlias/customers/idp\"/>    </IDPSSODescriptor></EntityDescriptor>","entityConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><EntityConfig entityID=\"http://id.example.com:8080\" hosted=\"true\" xmlns=\"urn:sun:fm:SAML:2.0:entityconfig\">    <IDPSSOConfig metaAlias=\"/customers/idp\">        <Attribute name=\"assertionEffectiveTime\">            <Value>600</Value>        </Attribute>        <Attribute name=\"appLogoutUrl\"/>        <Attribute name=\"wantLogoutResponseSigned\">            <Value>false</Value>        </Attribute>        <Attribute name=\"idpECPSessionMapper\">            <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>        </Attribute>        <Attribute name=\"RpUrl\"/>        <Attribute name=\"idpAccountMapper\">            <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>        </Attribute>        <Attribute name=\"attributeMap\">            <Value>EmailAddress=mail</Value>            <Value>name=cn</Value>        </Attribute>        <Attribute name=\"discoveryBootstrappingEnabled\">            <Value>false</Value>        </Attribute>        <Attribute name=\"nameIDFormatMap\">            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>        </Attribute>        <Attribute name=\"proxyIDPFinderJSP\"/>        <Attribute name=\"autofedAttribute\">            <Value/>        </Attribute>        <Attribute name=\"wantMNIResponseSigned\">            <Value>false</Value>        </Attribute>        <Attribute name=\"idpAuthncontextClassrefMapping\">            <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>        </Attribute>        <Attribute name=\"wantLogoutRequestSigned\">            <Value>false</Value>        </Attribute>        <Attribute name=\"metaAlias\"/>        <Attribute name=\"proxyIDPFinderClass\"/>        <Attribute name=\"saeAppSecretList\"/>        <Attribute name=\"idpAdapter\">            <Value>com.sun.identity.saml2.plugins.MySAML2IdentityProviderAdapter</Value>        </Attribute>        <Attribute name=\"signingCertKeyPass\"/>        <Attribute name=\"idpAuthncontextMapper\">            <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>        </Attribute>        <Attribute name=\"basicAuthOn\">            <Value>false</Value>        </Attribute>        <Attribute name=\"wantNameIDEncrypted\">            <Value>false</Value>        </Attribute>        <Attribute name=\"idpSessionSyncEnabled\">            <Value>false</Value>        </Attribute>        <Attribute name=\"wantMNIRequestSigned\">            <Value>false</Value>        </Attribute>        <Attribute name=\"basicAuthUser\"/>        <Attribute name=\"idpDisableNameIDPersistence\">            <Value>false</Value>        </Attribute>        <Attribute name=\"basicAuthPassword\"/>        <Attribute name=\"wantArtifactResolveSigned\">            <Value>false</Value>        </Attribute>        <Attribute name=\"AuthUrl\"/>        <Attribute name=\"saeIDPUrl\">            <Value>http://id.example.com:8080/idpsaehandler/metaAlias/customers/idp</Value>        </Attribute>        <Attribute name=\"assertionCacheEnabled\">            <Value>false</Value>        </Attribute>        <Attribute name=\"cotlist\">            <Value>idCOT</Value>        </Attribute>        <Attribute name=\"assertionNotBeforeTimeSkew\">            <Value>600</Value>        </Attribute>        <Attribute name=\"encryptionCertAlias\"/>        <Attribute name=\"idpAttributeMapper\">            <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>        </Attribute>        <Attribute name=\"enableProxyIDPFinderForAllSPs\">            <Value>false</Value>        </Attribute>        <Attribute name=\"signingCertAlias\">            <Value>test</Value>        </Attribute>        <Attribute name=\"relayStateUrlList\"/>        <Attribute name=\"autofedEnabled\">           <Value>false</Value>        </Attribute>    </IDPSSOConfig></EntityConfig>","_type": {"_id": "saml2","name": "Entity Descriptor ","collection": true}}'
Expected behaviour
Saml2Entity is created
Current behaviour
Failed to execute the 'create' command. Unexpected character ('1' (code 49)): was expecting comma to separate Object entries.

 



 Comments   
Comment by Simon Moffatt [ 19/Jan/18 ]

Can you try using the --path argument instead of loading the via the body? Eg https://github.com/smof/saml2-idp-certificate-updater/blob/master/saml2-idp-certificate-updater.sh as an example Brad Tarisznyas ?

Comment by Brad Tarisznyas [ 19/Jan/18 ]

If trying to use --path with the "create Saml2Entity" the result is:

Failed to execute the 'create' command. The command is missing one or more of the following parameters: --body.

This is as per the entity reference: https://backstage.forgerock.com/docs/amster/5.5/entity-reference/#sec-amster-entity-saml2entity-realm-ops-create

 

Comment by Simon Moffatt [ 19/Jan/18 ]

The example was for import-config - importing the SAML2 entity from file, not creating natively using body. Eg import-config --path ../realms/root/Saml2Entity/IDP for example

Comment by Simon Moffatt [ 02/Feb/18 ]

Hi Brad Tarisznyas did this work for?

Comment by Thomas Linke [ 02/Jun/18 ]

It is a parsing issue with the quotes. Instead of of one backslash in front of " use two backslashes

Generated at Mon Sep 21 16:23:19 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.