Solutions
Archived

Dynamic user profile creation or SSO fails with Authentication Error!!|auth_error_template.jsp error when SP is in sub-realm in OpenAM 11.0.2 and 12.0.0

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you receive a "com.sun.identity.saml2.common.SAML2Exception: Authentication Error!!|auth_error_template.jsp" error when dynamic user profile creation or SSO fails and the SP is in a sub-realm in OpenAM 11.0.2 and 12.0.0.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

User successfully authenticates with IdP and is then redirected to SP URL where the following message is shown:

HTTP Status 500 - Single Sign On failed.

When dynamic profile creation is configured, the user will see the OpenAM login page instead of the user profile being created.

The following message is seen in the Authentication log when one of these issues occurs:

amAuth:06/10/2016 14:08:11:771 PM EDT: Thread[http-bio-8443-exec-5,5,main] orgDN from existing auth context: o=test,ou=services,dc=openam,dc=forgerock,dc=org, orgDN from query string: dc=openam,dc=forgerock,dc=org

One of the following errors is seen in the Federation debug log when you experience either of these issues:

  • SSO failed: ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: Authentication Error!!|auth_error_template.jsp at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1328) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:281) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source) Caused by: com.sun.identity.plugin.session.SessionException: Authentication Error!!|auth_error_template.jsp at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:225) at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1307) ... 34 more
  • error code=-1: SPACSUtils.processResponse : error code=-1 com.sun.identity.plugin.session.SessionException: Authentication Error!!|auth_error_template.jsp at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:225) at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1312) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:240) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100) ...

Recent Changes

Upgraded to OpenAM 11.0.2 or 12.0.0.

Configured SP in sub-realm rather than top level realm.

Configured dynamic profile creation.

Causes

Fixes made to address OPENAM-474 (Dynamic User Creation not populating all available attributes onto newly created user) prevent the SP from fully working in a sub-realm. These changes mean the federation process is looking to authenticate in the top level realm rather than the applicable sub-level realm, which causes authentication to fail because the SP is in the sub-level realm. This means the dynamic user profile creation process cannot take place as OpenAM does not know whether the user exists or not.

Solution

This issue can be resolved by upgrading to OpenAM 11.0.3, or OpenAM 12.0.1 or later; you can download this from BackStage.

See Also

N/A

Related Training

N/A

Related Issue Tracker IDs

OPENAM-5120 (SAML2 SP in a sub-realm not fully functional after OPENAM-474)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.