Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

NullPointerException when trying to view remote SP entities for AWS in AM 6.5.0.x and 6.5.1 console

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you are redirected to a /base/AMUncaughtException URL when trying to view SAML2 entity providers in the AM console. This affects remote service provider entities that have been created by importing AWS metadata. You will also see a "java.lang.NullPointerException" in the logs when this happens.

Symptoms

When you try to view the AWS entity provider in the console, you are redirected to a URL such as: http://host1.example.com:8080/openam/base/AMUncaughtException and the following message is shown:

An error occurred while processing this request. Contact your administrator.

The following error is shown in the Configuration debug log when this happens:

amConsole:04/17/2019 11:17:03:100 PM BST: Thread[https-openssl-apr-8443-exec-2,5,main]: TransactionId[6f414571-3ee2-4a8e-8920-04bf0975f0ca-1283] ERROR: ConsoleServletBase.onUncaughtException com.iplanet.jato.NavigationException: Exception encountered during forward Root cause = [java.lang.NullPointerException] at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380) at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261) at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:155) at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:113) at com.sun.identity.console.federation.FederationViewBean.handleEntityNameHrefRequest(FederationViewBean.java:858)

Recent Changes

Imported AWS metadata into AM to create a remote SP entity.

Causes

The AWS metadata does not include the AuthnRequestsSigned attribute and AM returns an NPE for the missing attribute instead of setting it correctly to null.

Solution

This issue can be resolved by upgrading to AM 6.5.2 or later; you can download this from BackStage.

Workaround

You can workaround this issue by modifying the AWS metadata before importing it into AM:

  1. Update the AWS metadata to include the AuthnRequestsSigned attribute in the SPSSODescriptor section. You can set it to true or false as needed. For example, the revised section would look like this with it set to false: <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:webservices" validUntil="2020-03-18T00:00:00Z"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
  2. Re-import the metadata into AM: How do I export and import SAML2 metadata in AM (All versions)? You should now be able to view the entity provider via the console.

See Also

Federation related pages do not display in the console with a java.lang.NoClassDefFoundError: sun/misc/CharacterEncoder error in AM 6.5.x

FAQ: SAML federation in AM

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14213 (Cannot view SAML SP entity imported from AWS in console)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.