Null pointer exception processing a SAML 2.0 Assertion from 3rd party Identity Server

  • 7009805
  • 28-Nov-2011
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server


Access Manager 3.1 Support Pack 2 setup and working fine - users can access web based protected resources behind an Access Gateway successfully after authenticating to the local Identity Server. A SAML 2.0 setup also exists where the Novell Access Manager Identity Server is setup as a SAML 2.0 Service provider (SP) and consume an assertion generated by a 3rd party SAML 2.0 Identity (IDP) Server.

After upgrading to Access Manager 3.1 Support Pack 3, all Access Gateway protected resources continued to function as normal. Users that authenticated to the SAML 2.0 Identity Server and then hit the SAML 2 SP would however get an error at the browser with the following exception being displayed in the catalina.out file on the SP:

<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException", Line: 296, Method: getValidContext, Line: 204, Method: getAuthentication, Line: 492, Method: setAuthentication, Line: 439, Method: doProtocolAuthentication, Line: 224, Method: handleAuthentication, Line: 519, Method: processResponse, Line: 492, Method: processResponse, Line: 290, Method: handleInBoundMessage, Line: 474, Method: processResponse, Line: 544, Method: handleSSO, Line: 239, Method: handleRequest, Line: 600, Method: handleRequest, Line: 144, Method: myDoGet, Line: 89, Method: doGet, Line: 43, Method: doPost, Line: 647, Method: service, Line: 729, Method: service, Line: 269, Method: internalDoFilter, Line: 188, Method: doFilter, Line: 213, Method: invoke, Line: 172, Method: invoke, Line: 127, Method: invoke, Line: 117, Method: invoke, Line: 108, Method: invoke, Line: 174, Method: service, Line: 879, Method: process, Line: 665, Method: processConnection, Line: 528, Method: processSocket, Line: 81, Method: runIt, Line: 689, Method: run, Line: 662, Method: run

Warning: Invalid resource key! Null or empty string!
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS Application: Event Id: 3014668, Note 1: ED4E74D6D5701E98F790B179D256CD22, Numeric 1: 0 </amLogEntry>
Federated users can also


Make sure that the mapping between authentication types and contracts is enabled on the SAML 2.0 Identity server Authentication card settings. This is done by going to the Identity Provider configuration in iManager -> SAML 2.0 -> Identity Server -> Authentication Card and selecting a contract in the 'Satisfies contract' setting. Simply select the contract from the drop-down list which creates a mapping between external provider class reference to local authentication contract.

This is a new feature added with Access Manager 3.1 SP3 and documented in the 'Identity Server enhancements' section at

"Mapping Between Types and Contracts: The Identity Server is contract-based and this setting permits an association to be made between a contract and the external provider assertion"