[OPENAM-13079] Import SAML2 MetaData for RoleDescriptor for AttributeQueryDescriptor fails Created: 13/May/18  Updated: 27/Feb/20  Resolved: 26/May/18

Status: Closed
Project: OpenAM
Component/s: SAML, ssoadm
Affects Version/s: 13.5.1, 14.0.0, 14.1.1, 14.5.0, 5.5.1
Fix Version/s: 13.5.3, 14.1.2, 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: AM Sustaining Sprint 51
Story Points: 3
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

SAML2 Metadata that that have the namespace "xmlns:query" declared at the root may not work for RoleDescriptor element. When such a metadata is loaded the following exception may happen (this this is using "ssoadm.jsp")

java.lang.NullPointerException
	com.sun.identity.saml2.meta.SAML2MetaUtils.workaroundAbstractRoleDescriptor(SAML2MetaUtils.java:781)
	com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(SAML2MetaUtils.java:677)
	com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(SAML2MetaUtils.java:653)
	com.sun.identity.federation.cli.ImportMetaData.importSAML2Metadata(ImportMetaData.java:419)
	com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:225)
	com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:143)
	com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
	com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
	com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
	com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:576)
	com.sun.identity.cli.WebCLIHelper.processRequest(WebCLIHelper.java:151)
	com.sun.identity.cli.WebCLIHelper.getHTML(WebCLIHelper.java:92)
	org.apache.jsp.ssoadm_jsp._jspService(ssoadm_jsp.java:289)
	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
	com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
	org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
	org.forgerock.openam.audit.servlet.AuditAccessServletFilter.doFilter(AuditAccessServletFilter.java:62)

The above may appear in the catalina.out (for ssoadm.jsp)

It is seen that all the previous examples like fedlet would have in their RoleDescriptor element always have the namespace attribute xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" and so this issue is not seen.
 

How to reproduce the issue

A simplified example is using the following:

<EntityDescriptor entityID="TEST" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" >
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/ArtifactResolver/metaAlias/"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloRedirect/metaAlias/"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPSloPOST/metaAlias/"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPSloSoap/metaAlias/"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniRedirect/metaAlias/"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/" ResponseLocation="http://ap000.internal.forgerock.com:8080/openam/IDPMniPOST/metaAlias/"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/IDPMniSoap/metaAlias/"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ap000.internal.forgerock.com:8080/openam/SSORedirect/metaAlias/"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ap000.internal.forgerock.com:8080/openam/SSOPOST/metaAlias/"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/SSOSoap/metaAlias/"/>
        <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/NIMSoap/metaAlias/"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/IDPRole/metaAlias/"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/IDPRole/metaAlias/"/>
    </IDPSSODescriptor>
    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/default/metaAlias/attra"/>
        <AttributeService ns1:supportsX509Query="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AttributeServiceSoap/x509Subject/metaAlias/attra" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:X509:query"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://ap000.internal.forgerock.com:8080/openam/AIDReqUri/AttrAuthRole/metaAlias/attra"/>
        <AttributeProfile>urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic</AttributeProfile>
    </AttributeAuthorityDescriptor>
    <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
    </RoleDescriptor>
</EntityDescriptor>

Some SAML2 provider like OracleCloud is known to provide these metadata:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdext="urn:oasis:names:tc:SAML:metadata:extension" xmlns:ns10="urn:oasis:names:tc:SAML:profiles:v1metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="xxxxxxxx" cacheDuration="P30DT0H0M0S" entityID="....." validUntil="2027-09-20T16:48:35Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

and so the problem may be seen there.
Steps to reproduce is:

  1. Import the above SAML2 metadata
  2. Observe the failure
Expected behaviour
Import should work
Current behaviour
Import fails either with no error but no entry is created

Work around

Observe that the <RoleDescriptor> seems not to able to resolve the namespace xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" . So the workaround is to add this namespace attribute to the RoleDescriptor

    <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >

Code analysis

OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

SAML2MetaUtils.java
... Cannot create the xml ....


 Comments   
Comment by Ľubomír Mlích [ 27/Feb/20 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified as fixed in ForgeRock Access Management 5.5.2-M12 Build b4eff06cc5 (2020-February-26 12:16)

Comment by Ľubomír Mlích [ 27/Feb/20 ]

no more verification

Generated at Wed Nov 25 05:00:10 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.