Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1623

NullPointerException during c14n

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 4.0.1
    • Fix Version/s: 4.1.0
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      • IdP 4.0.1 installed fresh
      • Alpine Linux 3.12
      • OpenJDK 11
    • Operating System:
      Linux
    • Java Version:
      Other OpenJDK 11
    • Servlet Container:
      Apache Tomcat 9

      Description

      Trying to (badly) configure SAML2Proxy flow to extract eduPersonPrincipalName from incoming assertion to use in attribute resolution. Following changes made to config files:

      Pass out to other idp

          <bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant"
              c:target="upstream-idp" />
      

      Attribute filter

      <AttributeFilterPolicy id="saml-proxy-pass-through">
         <PolicyRequirementRule xsi:type="Requester" value="upstream-idp" />
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
      </AttributeFilterPolicy>
      

      C14N

          <util:list id="shibboleth.c14n.attribute.AttributesToResolve">
              <value>altuid uid eduPersonPrincipalName</value>
          </util:list> 
      
          <util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
              <value>altuid uid eduPersonPrincipalName</value>
          </util:list>
      

      Attribute resolver

      <AttributeDefinition xsi:type="SubjectDerivedAttribute" forCanonicalization="true" id="altuid" principalAttributeName="eduPersonPrincipalName" />
      
      <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ...>
        <InputAttributeDefinition ref="altuid" />
        <FilterTemplate>
        <![CDATA[
          (uid=$eduPersonPrincipalName.get(0))
        ]]>
        </FilterTemplate>
      </DataConnector>
      

      When authenticating via upstream IdP the following excerpt is logged:

      2020-06-22 13:51:26,143 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeFilterPolicy:153] - Attribute Filter Policy 'saml-proxy-pass-through'  Applying attribute filter policy to current set of attribut
      es: [eduPersonEntitlement, uid, eduPersonPrincipalName, eduPersonScopedAffiliation]
      ...
      2020-06-22 13:51:26,143 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] - Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted release of attribute eduPersonE
      ntitlement values
      2020-06-22 13:51:26,143 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'uid' remained after filteri
      ng
      2020-06-22 13:51:26,143 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'eduPersonPrincipalName' rem
      ained after filtering
      2020-06-22 13:51:26,159 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:178] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'eduPersonScopedAffiliation'
       remained after filtering
      ...
      2020-06-22 13:51:26,251 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'altuid': produced an attribute with the following values [ScopedStringAttributeValue{value=testuser, scope=my.scope}]
      ...
      2020-06-22 13:51:26,270 - 192.168.37.221 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:519] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'altuid' has 1 values after post-processing
      2020-06-22 13:51:26,276 - 192.168.37.221 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
      java.lang.NullPointerException: null
              at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl.collectExportingDataConnectors(AttributeResolverImpl.java:542

      (Happy to supply full log if needed)

      Top part of exception from idp-warn:

      2020-06-22 13:51:26,276 - 192.168.2.3 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
      java.lang.NullPointerException: null
      	at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl.collectExportingDataConnectors(AttributeResolverImpl.java:542)
      	at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl.finalizeResolvedAttributes(AttributeResolverImpl.java:589)
      	at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl.resolveAttributes(AttributeResolverImpl.java:257)
      	at net.shibboleth.idp.profile.impl.ResolveAttributes.doExecute(ResolveAttributes.java:282)
      	at org.opensaml.profile.action.AbstractProfileAction.execute(AbstractProfileAction.java:112)
      	at net.shibboleth.idp.profile.AbstractProfileAction.doExecute(AbstractProfileAction.java:150)
      	at net.shibboleth.idp.profile.AbstractProfileAction.execute(AbstractProfileAction.java:122)
      	at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rdw@iay.org.uk Rod Widdowson
              Reporter:
              matthew.slowe@corp.jisc.ac.uk Matthew Slowe
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: