Environment
Access Manager 4.4.x
Access Manager 4.5.0
Access Manager 4.5.1
Situation
- NetIQ Access Manager 4.5 configured as SAML2 IDP server
- Office 365 has been configured as SAML2 Service Provider
- Symptom: with mobile devices o365 generates SAML2 AuthnRequests using the SOAP endpoint:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<samlp:AuthnRequest
AssertionConsumerServiceIndex="2"
ID="_98d1380e-f72c-4838-8eb0-b8048eb80c73"
IssueInstant="2018-11-26T15:30:39.5739181Z"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
</samlp:AuthnRequest>
</S:Body>
</S:Envelope>
If the user fails to authenticate for whatever reason (user does not exist, wrong password...) we through a JAVA Exception filling up the logs
Method: SAML2ECPProfile.processSOAPRequest
Thread: https-jsse-nio-147.2.92.100-8443-exec-1
Response: null </amLogEntry>
<amLogEntry> 2019-09-24T14:04:58Z DEBUG NIDS Application:
Method: BaseHandler.handleSOAPMessage
Thread: https-jsse-nio-147.2.92.100-8443-exec-1
Attempting to handle SOAP MEssage!
Exception message: "java.lang.NullPointerException"
y, Line: 558, Method: processSOAPRequest
y, Line: 931, Method: handleSOAPCommand
y, Line: 1258, Method: handleSOAPMessage - No reports to helpdesk have been given other than that the logs are filling up with Java Exception messages
Resolution
- This issue has been addressed to engineering
- The IDP server should redirect the user session back to the o365 login page instead of ending up in a Java Exception
Cause
- Missing error handling process in case a user fails to login on a SAML2 Authentication Request using SOAP Binding