Null pointer exception error resolving SAML2 artifact when 3rd party IDP server involved

  • 7009950
  • 04-Jan-2012
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Identity Server setup to consume SAML2 assertions from a 3rd party SAML2 Identity Server

Situation

Access Manager 3.1 setup as a SAML2 Service Provider (SP), and consumes assertions from a 3rd party Identity (IDP) Server. After authenticating at the 3rd part SAML2 IDP server, the assertion would be sent to the Novell Access Manager SAML2 SP to be consumed using the POST binding, and instead of displaying the valid target target URL, the following error would be rendered at the browser:

"An Identity Provider response was received that failed to authenticate this session."

Looking at the catalina log files in more detail with IDP logging for SAML2 set to DEBUG, we can see that the assertion comes in (including snippet here)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
:
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.test.novell.com" SPNameQualifier="https://ids.secure.novell.com/nidp/saml2/metadata">4979e445895d6d258ad7624a33400c11f61980e3</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2011-11-28T10:30:10Z" Recipient="https://ids.secure.scottishwidowsoat.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-11-28T10:29:00Z" NotOnOrAfter="2011-11-28T10:30:10Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.novell.com/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-11-28T10:28:43Z" SessionIndex="A0B04CFB98A634D25D7EECA4DFB4BAC123B7C3F8F" SessionNotOnOrAfter="2011-11-28T18:28:48Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

Immediately following the consuming of this assertion, the following exception was displayed:

<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException"
     SAML2AuthenticationHandler.java, Line: 296, Method: getValidContext
     SAML2AuthenticationHandler.java, Line: 204, Method: getAuthentication
     IDPAuthenticationHandler.java, Line: 492, Method: setAuthentication
     IDPAuthenticationHandler.java, Line: 439, Method: doProtocolAuthentication
     IDPAuthenticationHandler.java, Line: 224, Method: handleAuthentication
     SAML2SSOProfile.java, Line: 519, Method: processResponse
     SAML2SSOProfile.java, Line: 492, Method: processResponse
     SAML2Profile.java, Line: 290, Method: handleInBoundMessage
     SAML2SSOProfile.java, Line: 474, Method: processResponse
     SAML2Handler.java, Line: 544, Method: handleSSO
     SAML2Handler.java, Line: 239, Method: handleRequest
     SAML2MeDescriptor.java, Line: 600, Method: handleRequest
     NIDPServlet.java, Line: 144, Method: myDoGet
     NIDPBaseServlet.java, Line: 89, Method: doGet
     NIDPBaseServlet.java, Line: 43, Method: doPost

Resolution

Enable the 'Satisfies Contract' parameter on the Novell Access Manager setup for this 3rd party IDP server and add a valid contract to map to. This is done by selecting the SAML2 -> Identity Server (3rd party entry) -> Authentication Card field in iManager and selecting a contract in the drop down menu for 'Satisfies Contract'.