[OpenAM SAML]HTTP Status 500 - Unable to do Single Sign On or Federation

Troubleshooting
, , ,
#1

Hi,

I am trying to configure OpenAM as SAML2.0 IDP for my application. I added self hosted IDP and Remote SP (my application),

NameID formate is set to unspecified but still getting the “HTTP Status 500 - Unable to do Single Sign On or Federation.” error.

On Stack Trace it shows

ERROR: IDPSSOFederate.generateAssertionResponseUnable to do sso or federation. 
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.

Full Stack Trace is given below

libSAML2:07/05/2022 07:54:05:162 PM UTC: Thread[http-nio-8080-exec-12,5,main]: TransactionId[adc6470f-50e8-4001-a1c5-5511c3ca094b-3154054] 
getAttributeValueFromSSOConfig: values=null 
libSAML2:07/05/2022 07:54:05:162 PM UTC: Thread[http-nio-8080-exec-12,5,main]: TransactionId[adc6470f-50e8-4001-a1c5-5511c3ca094b-3154054] 
AccountUtils.getAccountFederation: 
libSAML2:07/05/2022 07:54:05:162 PM UTC: Thread[http-nio-8080-exec-12,5,main]: TransactionId[adc6470f-50e8-4001-a1c5-5511c3ca094b-3154054] 
AccountUtils.getAccountFederation : user does not have any account federations. 
libSAML2:07/05/2022 07:54:05:162 PM UTC: Thread[http-nio-8080-exec-12,5,main]: TransactionId[adc6470f-50e8-4001-a1c5-5511c3ca094b-3154054] 
ERROR: IDPSSOFederate.generateAssertionResponseUnable to do sso or federation. 
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value. 
      at com.sun.identity.saml2.plugins.DefaultIDPAccountMapper.getNameID(DefaultIDPAccountMapper.java:104) 
      at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(IDPSSOUtil.java:1585) 
      at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:1000) 
      at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(IDPSSOUtil.java:812) 
      at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:469) 
      at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.generateAssertionResponse(UtilProxySAMLAuthenticator.java:500)

Not sure, what’s wrong with the configuration. Thanks in advance.

Thanks,
Lokesh

#2

Hi @lokeshnaktode - In addition to specifying the “Name ID Format”, you also need to configure the “Name ID Value MAP” i.e. what should IDP return to SP when the format is “unspecified”. The attribute name you can use is urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified.

Hope this helps!

Jatinder Singh
IAM Solutions Architect
Sqoop Data

1 Like
#3

Hi @jsingh,

Thanks for the input.

I tried that configuration but it is still not working. Here is the screenshot for more details…

Screenshot_1
Screenshot_11276×749 32.9 KB

Here is the details for steps I followed.

  1. Added self-hosted IDP, using test key for signing and changed the NameID value map as shown on screenshot above. Also, i have configured attribute map to send uid and email.
  2. Added remote service provide configuration by uploading the metadata and rest of the configuration are default one, I have not modified anything for this configuration.
  3. Added both self-hosted IDP and SP in one Circle of Trust.
  4. Configured application using metadata given by OpenAM i.e. /openam/saml2/jsp/exportmetadata.jsp?entityid=Confluence&realm=/

In case, if you need any other screenshot or configuration details, please let me know. I stuck on this.

Thanks for your help.

Thanks,
Lokesh

#4

I see that you have configured “emailAddress” in your NameID Value Map. Could you please check the user account you are using to login has a valid email address attached?

#5

If the issue still persists, please share your AuthN SAML2 request. I am particularly interested in the incoming attributes for NameIDPolicy element.

#6

Hi @jsingh,

Thanks for your response.

I have verified that user have both username and email.

User
User1599×707 48.2 KB

And I have tried sending both the NameID Policy i.e. “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” and “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” but updated the configuration on the OpenAM IDP’s NameID value map accordingly but it did not work for me.

Please check the SAML Authentication Request XML as requested.

Sending NameID Policy → unspecified

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://example.com/plugins/servlet/saml/auth"
                    Destination="http://localhost:8080/openam/SSORedirect/metaAlias/idp"
                    ID="_c7ff64b370a540848038a0df1c48258e"
                    IsPassive="false"
                    IssueInstant="2022-07-08T06:58:12.062Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com</saml:Issuer>
    <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                         AllowCreate="true"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         />
    <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                                  Comparison="exact"
                                  >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

Sending NameID Policy → emailAddress

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://example.com/plugins/servlet/saml/auth"
                    Destination="http://localhost:8080/openam/SSORedirect/metaAlias/idp"
                    ID="_f21e9e777ed9486fb62b58e2eaca4ce2"
                    IsPassive="false"
                    IssueInstant="2022-07-08T06:59:47.079Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://example.com</saml:Issuer>
    <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                         AllowCreate="true"
                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                         />
    <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                                  Comparison="exact"
                                  >
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

Please let me know if you want to look any other parameters.

Thanks for your help, really appropriate it.

Thanks,
Lokesh

#7

Now, I am seeing a new errors on log…

libSAML:07/08/2022 01:28:07:923 PM IST: Thread[http-nio-8080-exec-10,5,main]: TransactionId[b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6744]
ERROR: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
libSAML2:07/08/2022 01:28:07:924 PM IST: Thread[http-nio-8080-exec-10,5,main]: TransactionId[b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6744]
ERROR: FMSigProvider.sign: The private key was null.
libSAML2:07/08/2022 01:28:07:924 PM IST: Thread[http-nio-8080-exec-10,5,main]: TransactionId[b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6744]
ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: The private key was null.
	at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:141)
	at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:691)
	at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2500)
	at com.sun.identity.saml2.profile.IDPSSOUtil.signAndEncryptResponseComponents(IDPSSOUtil.java:2576)
	at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponse(IDPSSOUtil.java:735)
	at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:529)
	at org.forgerock.openam.saml2.UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache(UtilProxySAMLAuthenticatorLookup.java:174)
	at com.sun.identity.saml2.profile.IDPSSOFederate.process(IDPSSOFederate.java:240)



libSAML2:07/08/2022 01:28:07:924 PM IST: Thread[http-nio-8080-exec-10,5,main]: TransactionId[b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6744]
Invoking IDP adapter preSendFailureResponse hook
org.forgerock.audit.events.handlers.writers.RotatableWriter:07/08/2022 01:28:07:924 PM IST: Thread[CsvHandler,5,main]: TransactionId[b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-841]
Actually writing to file: "b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6790";"2022-07-08T07:58:07.924Z";"AM-ACCESS-OUTCOME";"b3f5c738-ce96-4d26-b74b-ddd5a1b312f2-6744";;"[""ccaa2b60dd22e28b01"",""08AD87E663075C19E58EB795D583AE88"",""_67f25347d1614f369bfb407ddcf1ef00""]";"127.0.0.1";"8080";"127.0.0.1";"60748";"SAML2";"idpSSOFederate";;"false";"GET";"http://localhost:8080/openam/SSORedirect/metaAlias/idp";"{""ReqID"":[""_67f25347d1614f369bfb407ddcf1ef00""],""index"":[""null""],""acsURL"":[""https%3A%2F%2example.com%2Fplugins%2Fservlet%2Fsaml%2Fauth""],""spEntityID"":[""https%3A%2F%2example.com""],""binding"":[""urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST""]}";"{""accept"":[""text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8""],""dnt"":[""1""],""host"":[""localhost:8080""],""referer"":[""http://localhost:8080/openam/XUI/?realm=/&spEntityID=https%3A%2F%2Fexample.com&goto=http%3A%2F%2Flocalhost%3A8080%2Fopenam%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3D_67f25347d1614f369bfb407ddcf1ef00%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fexample.com%252Fplugins%252Fservlet%252Fsaml%252Fauth%26spEntityID%3Dhttps%253A%252F%252Fexample.com%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST""],""sec-fetch-dest"":[""document""],""sec-fetch-mode"":[""navigate""],""sec-fetch-site"":[""same-origin""],""sec-fetch-user"":[""?1""],""upgrade-insecure-requests"":[""1""],""user-agent"":[""Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0""]}";"{""JSESSIONID"":""<Removed>"",""i18next"":""en-US"",""amlbcookie"":""01"",""AMAuthCookie"":""<Removed>0.*AAJTSQACMDEAAlNLABQtNDg4NjMwNjU4NTIwMDM5NjMxMQACUzEAAA..*""}";;"FAILED";"Server";"{""reason"":""Unable to do Single Sign On or Federation. (**The private key was null.)**""}";"76";"MILLISECONDS";"SAML2";"/"

I have not enabled SAML Encryption and I am using test key for signing the SAML Response which comes by default with the OpenAM installation.

Thanks,
Lokesh

#8

Hi @jsingh

This issue is resolved but not sure what was the root cause.

This is still not working with NameID → urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, I have to change this to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and also need to remove “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid” from NameID map.

Also, it seems it was an issue with “Key Pass” for Certificate Aliases configuration. I think this field was configured with wrong password auto-fill by my browser. I removed the keys and re-added again and it resolve the issue.

Thanks for your time and looking into this.

Thanks,
Lokesh

1 Like