Null pointer exception error resolving SAML2 artifact when 3rd party IDP server involved

  • 7009950
  • 04-Jan-2012
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Identity Server setup to consume SAML2 assertions from a 3rd party SAML2 Identity Server


Access Manager 3.1 setup as a SAML2 Service Provider (SP), and consumes assertions from a 3rd party Identity (IDP) Server. After authenticating at the 3rd part SAML2 IDP server, the assertion would be sent to the Novell Access Manager SAML2 SP to be consumed using the POST binding, and instead of displaying the valid target target URL, the following error would be rendered at the browser:

"An Identity Provider response was received that failed to authenticate this session."

Looking at the catalina log files in more detail with IDP logging for SAML2 set to DEBUG, we can see that the assertion comes in (including snippet here)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds=""
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="" SPNameQualifier="">4979e445895d6d258ad7624a33400c11f61980e3</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2011-11-28T10:30:10Z" Recipient=""/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-11-28T10:29:00Z" NotOnOrAfter="2011-11-28T10:30:10Z"><saml:AudienceRestriction><saml:Audience></saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-11-28T10:28:43Z" SessionIndex="A0B04CFB98A634D25D7EECA4DFB4BAC123B7C3F8F" SessionNotOnOrAfter="2011-11-28T18:28:48Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

Immediately following the consuming of this assertion, the following exception was displayed:

<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException", Line: 296, Method: getValidContext, Line: 204, Method: getAuthentication, Line: 492, Method: setAuthentication, Line: 439, Method: doProtocolAuthentication, Line: 224, Method: handleAuthentication, Line: 519, Method: processResponse, Line: 492, Method: processResponse, Line: 290, Method: handleInBoundMessage, Line: 474, Method: processResponse, Line: 544, Method: handleSSO, Line: 239, Method: handleRequest, Line: 600, Method: handleRequest, Line: 144, Method: myDoGet, Line: 89, Method: doGet, Line: 43, Method: doPost


Enable the 'Satisfies Contract' parameter on the Novell Access Manager setup for this 3rd party IDP server and add a valid contract to map to. This is done by selecting the SAML2 -> Identity Server (3rd party entry) -> Authentication Card field in iManager and selecting a contract in the drop down menu for 'Satisfies Contract'.