OpenAM HTTP Status 500

0
votes

I need some help :)

I am currently setting up partners for our SSO.

We are using OpenAm . So we are the hosted service provider, and I set up the Identity provider - our partner.

We have successful configuration but for this one I am running into a wall :/

It is SAML2.0, Agent is installed on tomcat 7 and the communication seems fine.

When our partner is sending us a request he gets :

    HTTP 500


    Exception: 

    javax.servlet.ServletException : AMSetupFilter.doFilter
        com.sun.identify.setup.AMSetupFilter.doFilter(AMSetupFilter.java 121)

    Root cause:

    java.lang.NullPointerException

    com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1158)
    org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp)

   .....

   com.sun.identify.setup.AMSetupFilter.doFilter(AMSetupFilter)

In the log I have : For SSO server catalina.out :

   Nov 26, 2013 4:52:22 PM com.sun.org.apache.xml.internal.security.signature.Reference verify
    INFO: Verification successful for URI "#_6cf47d3b-f425-4a10-aeb1-fa20cf763387"
    org.apache.jasper.JasperException: java.lang.NullPointerException
        at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:522)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:416)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:95)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:662)
    Caused by: java.lang.NullPointerException
        at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1158)
        at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:224)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
        ... 21 more

In the Session log of openAm:

        CookieMode is:true
        SessionID(HttpServletRequest) : is forward = null
        getSidFromQuery: request =org.apache.catalina.connector.RequestFacade@b1a7a0
        getSidFromQuery: sid =null
        before decoding getSidFromURL:sidString=null
        after decoding: getSidFromURL:sidString=null
        could not create SSOToken from HttpRequest
        com.iplanet.dpro.session.SessionException: Invalid session ID.
            at com.iplanet.dpro.session.Session.getSession(Session.java:1089)
            at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:92)
            at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:241)
            at com.sun.identity.plugin.session.impl.FMSessionProvider.getSession(FMSessionProvider.java:408)
            at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:202)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
            at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
            at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
            ...

And probably the most interesting, the Federation log:

SPACSUtils.getResponse: got response= (give me a proper xml response)
**FMSessionProvider.getSession: Could not get the session from the HTTP request: Invalid session ID.
spAssertionConsumer.jsp: Token is null.Invalid session ID.**
SPACSUtils.processResponse: Response : com.sun.identity.saml2.protocol.impl.ResponseImpl@1262e43
SAML2Utils.getSPAdapterClass: get SPAdapter for ***
getAttributeValueFromSSOConfig : realm - /***
getAttributeValueFromSSOConfig : hostEntityId - ***
getAttributeValueFromSSOConfig : entityRole - SPRole
getAttributeValueFromSSOConfig : attrName - spAdapter
getAllAttributeValueFromSSOConfig : realm - /***
getAllAttributeValueFromSSOConfig : hostEntityId -***
getAllAttributeValueFromSSOConfig : entityRole - SPRole
getAllAttributeValueFromSSOConfig : attrName - spAdapter
SAML2MetaCache.getEntityConfig: cacheKey = ***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@1f
SAML2Utils.getSPAdapterClass: get SPAdapter class 
SAML2MetaCache.getEntityConfig: cacheKey = /***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
ConfigurationInstanceImpl.getAllConfigurationNames: realm = /***, componentName = LIBCOT
CircleOfDescriptorCache:getCircleOfTrust:cacheKey = ***, found = true
SAML2MetaCache.getEntityConfig: cacheKey = ***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
SAML2MetaCache.getEntityDescriptor: cacheKey = ***, found = true
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache ***
SAML2Utils:getWantPOSTResponseSigned : realm - /***
SAML2Utils:getWantPOSTResponseSigned : hostEntityId - ***
SAML2Utils:getWantPOSTResponseSigned : entityRole - SPRole
getAttributeValueFromSSOConfig : realm - /***
getAttributeValueFromSSOConfig : hostEntityId -***
getAttributeValueFromSSOConfig : entityRole - SPRole
getAttributeValueFromSSOConfig : attrName - wantPOSTResponseSigned
getAllAttributeValueFromSSOConfig : realm - /***
getAllAttributeValueFromSSOConfig : hostEntityId - ***
getAllAttributeValueFromSSOConfig : entityRole - SPRole
getAllAttributeValueFromSSOConfig : attrName - wantPOSTResponseSigned
SAML2MetaCache.getEntityConfig: cacheKey = ***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
getAttributeValueFromSSOConfig: values=com.sun.xml.bind.util.ListImpl@5cb1942
SAML2Utils.verifyResponse:binding is :urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SAML2MetaCache.getEntityConfig: cacheKey = ***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
ConfigurationInstanceImpl.getAllConfigurationNames: realm = /***, componentName = LIBCOT
CircleOfDescriptorCache:getCircleOfTrust:cacheKey = ***, found = true
SAML2MetaCache.getEntityDescriptor: cacheKey = ***, found = true
SAML2MetaManager.getEntityDescriptor: got descriptor from SAML2MetaCache ***
FMSigProvider.verify: The cert contained in the document is the same as the one being passed in.
validateCertificate :  CRL check is not configured. Just return it is good.
FMSigProvider.verify: Signature verification successful.
SAML2Utils.isBearerSubjectConfirmation:timeskew = 300
AuthContext Class Name is :com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper
getAllAttributeValueFromSSOConfig : realm - /***
getAllAttributeValueFromSSOConfig : hostEntityId - ***
getAllAttributeValueFromSSOConfig : entityRole - SPRole
getAllAttributeValueFromSSOConfig : attrName - spAuthncontextClassrefMapping
SAML2MetaCache.getEntityConfig: cacheKey = ***, found = true
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: ***
DefaultSPAuthnContextMapper: List:com.sun.xml.bind.util.ListImpl@8d71dc68
DefaultSPAuthnContextMapper.getAuthnCtxFromSPConfig: AuthLevel is 0
DefaultSPAuthnContextMapper:hostEntityID:***
DefaultSPAuthnContextMapper:realm:/***
DefaultSPAuthnContextMapper:MAP:{default=0, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=0, defaultClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}
DefaultSPAuthnContextMapper:HASH:{***={default=0, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=0, defaultClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}}
DefaultSPAuthnContextMapper:authnClRef:urn:federation:authentication:windows
DefaultSPAuthnContextMapper:authLevel :0
SAML2Utils.fillMap: Found valid authentication assertion.
SPACSUtils.processResponse: Assertions : [com.sun.identity.saml2.assertion.impl.AssertionImpl@1f2c081]
SAML2MetaManager.getEntityConfig: got entity config from SAML2MetaCache: 
DefaultAccountMapper.constructor: 
DefaultLibrarySPAccountMapper.constructor: 
DefaultSPAccountMapper.constructor: 
SPACSUtils.getSPAccountMapper: mapper = com.sun.identity.saml2.plugins.DefaultSPAccountMapper
DefaultSPAttributeMapper.constructor
SAML2MetaCache.getEntityDescriptor: cacheKey =, found = true
2
sessionnullpointerexceptionsingle-sign-onagentopenam
When providing stacktraces it is usually beneficial to also provide product version, so people can actually match it up with the code. - Peter Major
Thank you for the reminder :) . OpenAM 10.1.0-Xpress. We identified that this error is most likely from an error of our partner request (trimmed too much information !). I am trying to see if there is any way of send a request manually (be the idp ) rather than waiting on our partner to send us request so we can test our sso configuration. I tried with : <form id="theform" action="https://ssotest/sp/saml2/jsp/idpSSOInit.jsp" method="post"> ... But it does not seem to work ! I get an authentication error (null pointer) - julien

2 Answers

0
votes

The stacktrace suggests that there was no NameID element defined in the SAML response for some reason, most likely this is a bug in the IdP. The Federation debug log on message level should contain all the details about the SAML response, I would suggest to turn up logging level and have a look there.

If you want to reproduce the HTTP 500, then you should send the SAML response manually to the SSOPOST endpoint (see AssertionConsumerService elements in the SAML metadata).

0
votes

Ok, It makes sense. Thank you for the details :) We noticed that this issue was because our idp partner trimmed the request a little bit to much !!

So this issue is gone, we actually know are able to land on our application page - We have a SSO SUCCESS in the federation log.

But in the session we get :

cookieMode is :true
CookieMode is:true
SessionID(HttpServletRequest) : is forward = null
cookieMode is :true
CookieMode is:true
Running sendEvent, type = 0
Session.isPollingEnabled is false
Session Cache cleanup is set to true
Session.isPollingEnabled is false
Session Cache cleanup is set to true
Running sendEvent, type = 0
Session.isPollingEnabled is false
Session Cache cleanup is set to true
Session.isPollingEnabled is false
Session Cache cleanup is set to true
SessionID(HttpServletRequest) : is forward = null
getSidFromQuery: request =org.apache.catalina.connector.RequestFacade@84b1e0
getSidFromQuery: sid =null
before decoding getSidFromURL:sidString=null
after decoding: getSidFromURL:sidString=null
could not create SSOToken from HttpRequest
com.iplanet.dpro.session.SessionException: Invalid session ID.
    at com.iplanet.dpro.session.Session.getSession(Session.java:1089)
    at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:92)
    at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:241)
    at com.sun.identity.plugin.session.impl.FMSessionProvider.getSession(FMSessionProvider.java:408)


SessionID(HttpServletRequest) : is forward = null
getSidFromQuery: request =org.apache.catalina.connector.RequestFacade@84b1e0
getSidFromQuery: sid =null
before decoding getSidFromURL:sidString=null
after decoding: getSidFromURL:sidString=null
could not create SSOToken from HttpRequest
com.iplanet.dpro.session.SessionException: Invalid session ID.
    at com.iplanet.dpro.session.Session.getSession(Session.java:1089)
    at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:92)
    at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:241)

And so in our application, we try to get the USER_SESSION from the http request, but it is null so we get stuck on the login page of our application :/