Results 1 to 3 of 3

Thread: integrating sam2-sample with an OpenAM IdP

  1. Jan 26th, 2013, 12:19 PM #1
    cailie
    cailie is offline Junior Member
    Join Date
    Nov 2006
    Location
    Vancouver, BC
    Posts
    25

    Default integrating sam2-sample with an OpenAM IdP

    Hi there,

    Has anyone out there experienced success extending the saml2-sample so that it communicates with an OpenAM Identify Provider?

    I've followed steps that were similar to the SSO Circle IdP quick start section of the "Spring Security SAML Extension - Reference Documentation" [saml2-doc/SpringSecurity SAML - documentation 3.0.pdf]

    My current blocker is that login (from the sample app) leads to a 500 error on the OpenAM server. The underlying exception is:

    libSAML2:01/26/2013 08:41:07:939 AM UTC: Thread[http-8080-5,5,main]
    ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
    at com.sun.identity.saml2.plugins.DefaultIDPAccountMa pper.getNameID(DefaultIDPAccountMapper.java:143)
    at com.sun.identity.saml2.profile.IDPSSOUtil.getSubje ct(IDPSSOUtil.java:1509)
    at com.sun.identity.saml2.profile.IDPSSOUtil.getAsser tion(IDPSSOUtil.java:919)
    at com.sun.identity.saml2.profile.IDPSSOUtil.getRespo nse(IDPSSOUtil.java:741)
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResp onseToACS(IDPSSOUtil.java:428)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(IDPSSOFederate.java:851)
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(IDPSSOFederate.java:125)
    at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspSe rvice(idpSSOFederate_jsp.java:99)
    ...

    Of course, it's quite possible that the problem lies in my OpenAM configuration. I will be grateful for any ideas.

    Thank you,
    -C
    Last edited by cailie; Jan 26th, 2013 at 08:38 PM.
    Reply With Quote Reply With Quote
  2. Jan 26th, 2013, 12:59 PM #2
    vsch
    vsch is offline Senior Member
    Join Date
    Feb 2009
    Location
    Helsinki
    Posts
    148

    Default

    Hi,

    OpenAM is probably trying to generate a Name ID (identifier of the user returned in the SAML Assertion) from the user's e-mail address, but e-mail is missing in the user's profile. Just add an e-mail to the account you're authenticating with and error should disappear. The other option is to change NameID which your SP requests from OpenAM. To do this modify bean WebSSOProfileOptions inside samlEntryPoint by adding property nameID with e.g. value "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". Some details about this can be found in chapter 4.7 of the manual.

    Vladimír Schäfer
    Reply With Quote Reply With Quote
  3. Jan 26th, 2013, 08:36 PM #3
    cailie
    cailie is offline Junior Member
    Join Date
    Nov 2006
    Location
    Vancouver, BC
    Posts
    25

    Talking Awesome

    Hi Vladimír,

    You are right! The authenticated user had no email address configured. To fix this, I went to the "Subjects" tab of the OpenAM admin GUI, and entered an email address in that user's profile.

    Now the saml2-sample login action succeeds.

    Thank you very much!

    Cheers,
    -C
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules