[OPENAM-15533] WS-Federation doesn't work with Authentication Trees Created: 11/Oct/19  Updated: 12/Mar/20  Resolved: 21/Oct/19

Status: Resolved
Project: OpenAM
Component/s: WS Federation
Affects Version/s: 6.5.2.1
Fix Version/s: 6.0.1, 6.5.2.3, 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Brad Tarisznyas Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 68
Story Points: 5
Needs backport:
Yes
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

 Description   

Bug description

When the realm is configured with an Authentication Tree, and the WS_Fed is invoked, on successful authentication, a HTTP 500 is returned to the browser.

The WS-Fed integration works if the realm authentication is changed to a standard chain (say ldapservice).

How to reproduce the issue

  1. Setup a working WS-Fed integration (configure the default authentication for the realm to point to a chain to confirm this is working)
  2. Configure a simple Tree in the realm, such as username collector, password collector and datastore decision with transitions to success and failure
  3. Configure the authentication service for the realm to point to the new tree
  4. Invoke the WS-Fed endpoint (eg http://id.example.com:8080/am/WSFederationServlet/metaAlias/customers/wsfedidp?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline).
Expected behaviour
After authentication, the user is federated to the SP
Current behaviour
HTTP 500 - Internal Server Error is displayed in the browser with the following appearing in catalina.out:

java.lang.NullPointerException
	at com.sun.identity.wsfederation.servlet.IPSigninRequest.sendResponse(IPSigninRequest.java:278)
	at com.sun.identity.wsfederation.servlet.IPSigninRequest.process(IPSigninRequest.java:171)
	at com.sun.identity.wsfederation.servlet.WSFederationServlet.doGet(WSFederationServlet.java:72)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

Work around

Add a "Set Session Properties" node in the tree before success, with the following key/value:

"AuthType":<name of tree>

Note that the value seems to be unimportant for the federation to succeed, but for best practice it should be set to something meaningful (i.e. the name of the tree that authenticated the user)

Code analysis

The reason for this is that in IPSigninRequest.sendResponse, the auth method ("authMethod") is retrieved from the session which maps somehow to "AuthType" in the session.

 

com.sun.identity.wsfederation.servlet.IPSigninRequest
...
String authMethod;        
try {            
  authMethod = WSFederationUtils.sessionProvider.getProperty(session,   SessionProvider.AUTH_METHOD)[0];        
} catch (SessionException se) {
            throw new WSFederationException(se);        
}

When using chains/modules, this is the module that authenticated the user. However it is not set when using Trees and results in the NullPointerException.



 Comments   
Comment by Lawrence Yarham [ 21/Oct/19 ]

Have fixed (for both WS-Fed and SAML 1.x flows - see reproduction steps in comments above for each) for master (7.0.0 snapshot) and have backported to 6.5.x and 6.0.x sustaining branches.  Backport for 5.5.x is created and tested and PR is open, awaiting completion of 5.5.2 codefreeze.

Generated at Mon Nov 30 01:28:46 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.