OpenAM error 500 "Unable to do Single Sign On or Federation" when browser loads successURL

2
votes

I just installed OpenAM 13.0.0, created an hosted IDP, and registered a remote SP. Within the remote SP (a product called Questetra), I configured the entityID, login URL, logout URL, and certificate using values found in the XML at http://idp:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://idp:8080/openam&realm=/

Problem: OpenAM says 500 Internal Server Error at the step where the browser loads the successURL.

  • Any idea what is happening?
  • Any tips on how to debug? There is nothing special in the Tomcat and OpenAM logs.

Shortened Wireshark trace

HTTP/1.1 200 OK
[...]

{"successURL":"/SSORedirect/metaAlias/idp?ReqID=a41de50e29c99ff3422f82b7g660ch6&index=null&acsURL=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2Fsaml%2FSSO%2Falias%2Fbpm&spEntityID=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2F&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST"}

GET /openam/SSORedirect/metaAlias/idp?ReqID=a41de50e29c99ff3422f82b7g660ch6&index=null&acsURL=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2Fsaml%2FSSO%2Falias%2Fbpm&spEntityID=http%3A%2F%2Fthesp%3A8080%2Fuserweb%2F&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST HTTP/1.1
[...]

HTTP/1.1 500 Internal Server Error
[...]

<html>[...]HTTP Status 500 - Unable to do Single Sign On or Federation[...]</html>

Full trace at https://gist.github.com/nicolas-raoul/5ff26f37a95bc8088c6af7fe6ea5e468

Tomcat 7.0.72, Ubuntu 2016.04.1 LTS, Firefox 50.1.0

1
single-sign-onsaml-2.0openam
Set OpenAM debug logging to 'message' level and check Federation debug log (or provide the error here) - Bernhard Thalmayr
Hey Nicolas, were you able to solve this? - pinkpanther

1 Answers

1
votes

I solved this same error by taking the Certificate value directly from the metadata file exported from OpenAM and entering that directly again, to ensure that it was the exact same.