Jan 26th, 2013, 12:19 PM
integrating sam2-sample with an OpenAM IdP
Has anyone out there experienced success extending the saml2-sample so that it communicates with an OpenAM Identify Provider?
I've followed steps that were similar to the SSO Circle IdP quick start section of the "Spring Security SAML Extension - Reference Documentation" [saml2-doc/SpringSecurity SAML - documentation 3.0.pdf]
My current blocker is that login (from the sample app) leads to a 500 error on the OpenAM server. The underlying exception is:
libSAML2:01/26/2013 08:41:07:939 AM UTC: Thread[http-8080-5,5,main]
ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
at com.sun.identity.saml2.plugins.DefaultIDPAccountMa pper.getNameID(DefaultIDPAccountMapper.java:143)
at com.sun.identity.saml2.profile.IDPSSOUtil.getSubje ct(IDPSSOUtil.java:1509)
at com.sun.identity.saml2.profile.IDPSSOUtil.getAsser tion(IDPSSOUtil.java:919)
at com.sun.identity.saml2.profile.IDPSSOUtil.getRespo nse(IDPSSOUtil.java:741)
at com.sun.identity.saml2.profile.IDPSSOUtil.sendResp onseToACS(IDPSSOUtil.java:428)
at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(IDPSSOFederate.java:851)
at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(IDPSSOFederate.java:125)
at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspSe rvice(idpSSOFederate_jsp.java:99)
Of course, it's quite possible that the problem lies in my OpenAM configuration. I will be grateful for any ideas.
Last edited by cailie; Jan 26th, 2013 at 08:38 PM.
Jan 26th, 2013, 12:59 PM
OpenAM is probably trying to generate a Name ID (identifier of the user returned in the SAML Assertion) from the user's e-mail address, but e-mail is missing in the user's profile. Just add an e-mail to the account you're authenticating with and error should disappear. The other option is to change NameID which your SP requests from OpenAM. To do this modify bean WebSSOProfileOptions inside samlEntryPoint by adding property nameID with e.g. value "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". Some details about this can be found in chapter 4.7 of the manual.
Jan 26th, 2013, 08:36 PM
You are right! The authenticated user had no email address configured. To fix this, I went to the "Subjects" tab of the OpenAM admin GUI, and entered an email address in that user's profile.
Now the saml2-sample login action succeeds.
Thank you very much!