Menu
▾
▴
[Unity-idm-discuss] Fwd: Re: Nullpointer when SP tries to access IDP
|
From: Willem E. <wi...@cl...> - 2017-06-13 09:05:40
|
Forgot to include the mailing list... -------- Forwarded Message -------- Subject: Re: [Unity-idm-discuss] Nullpointer when SP tries to access IDP Date: Mon, 12 Jun 2017 13:34:48 +0200 From: Willem Elbers <wi...@cl...> Reply-To: wi...@cl... Organization: CLARIN ERIC To: Krzysztof Benedyczak <kb...@un...> Hi Krzystof, apologies for the delay, I became father again which took most of my focus :) After increasing the translation profile logging I can see the following for my identity: Working login: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991 In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://sp.catalog.clarin.eu Failed login with problematic SP: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://clarino.uib.no/ As you can see from the log, for the problematic SP the [targetedPersistent] and [transient] identities are missing, hence the error. The SAML configuration is as follows: unity.saml.issuerURI=https://idm.clarin.eu unity.saml.credential=IDP unity.saml.defaultGroup=/clarin unity.saml.spAcceptPolicy=validRequester unity.saml.signResponses=asRequest unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml unity.saml.refreshInterval=3600 unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Please let me know if you need more info. Best, Willem On 23/05/2017 10:14, Krzysztof Benedyczak wrote: > Dear Willem, > > W dniu 19.05.2017 o 13:32, Willem Elbers pisze: >> Dear Krzysztof, >> >> this issue seems to fixed in 1.9.6, but now we are observing the >> following behavior. >> >> In unity log file we see to following (I've redacted all sensitive >> information): >> >> ========== >> Routing request to DEFAULT destination /saml2idp-web-consentdecider >> Unprocessed data from local database: >> Entity 261: >> - [email] ...@clarin.eu >> - [persistent] 20...-....-....-....-.....bd >> In group: /... >> Groups: [/.../..., /...., /..../...., /..../...., /...., /] >> Requester: https://clarino.uib.no/ >> Protocol: SAML2:urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST >> Condition OK >> Returning SSO Authentication error response SAMLResponse with HTTP POST >> binding to https://clarino.uib.no/feide/assertion-consumer >> ========== >> >> There seems to be an SSO Authentication error response. When looking at >> the SAML going over the wire, the following is send from unity to the SP >> and no attributes are released. The entity does have an persistent id >> and works with other (shibboleth) SPs: >> >> ========== >> <urn:Response IssueInstant="2017-05-19T11:27:28.332Z" >> >> ID="SAMLY2lib_msg_b7bba6ead014cb17b3652b00fbf2bfbb1b1720afc62aa64d" >> Version="2.0" >> InResponseTo="_AB05AE52C8A42786AE8FEA16DD59576D" >> xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" >> > >> <urn1:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" >> >https://idm.clarin.eu</urn1:Issuer> >> <urn:Status> >> <urn:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> >> <urn:StatusMessage>[Error: null pointer: >> idsByType['targetedPersistent'][0]] >> [Near : {... idsByType['targetedPersistent' ....}] >> ^ >> [Line: 1, Column: 1]</urn:StatusMessage> >> </urn:Status> >> </urn:Response> >> ========== >> >> I'm using the following log settings: >> >> ========== >> log4j.logger.unity.server=TRACE >> log4j.logger.unity.server.saml=TRACE >> ========== >> >> The amount of SAML related log message is quite minimal. >> >> Two questions: >> >> 1. Any suggestions on how to resolve the SAML issue for this SP? > > I guess in your profile you have idsByType['tagetedPersistent'][0] and > from what you have shown in your log there is no such identity type > extracted from SAML request. So I guess all you need is to change > tergetedPersistent to persistent, which is what you profile gets. > > [Side note: you have not shown you saml config and the request so it > is hard to say why you have persistent, instead of standard one] > >> >> 2. How can we increase the logging of SAML related messages? > > For this case translation profile logging set to TRACE may show more. > However the cause in this case is rather clear. > > Best, > Krzysztof > > -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
