NullPointerException when trying to view remote SP entities for AWS in AM 6.5.0.x and 6.5.1 admin UI
The purpose of this article is to provide assistance if you are redirected to a /base/AMUncaughtException URL when trying to view SAML2 entity providers in the AM admin UI. This affects remote service provider entities that have been created by importing AWS metadata. You will also see a "java.lang.NullPointerException" in the logs when this happens.
Symptoms
When you try to view the AWS entity provider in the AM admin UI, you are redirected to a URL such as: https://am.example.com:8443/am/base/AMUncaughtException and the following message is shown:
An error occurred while processing this request. Contact your administrator.The following error is shown in the Configuration debug log when this happens:
amConsole:04/17/2019 11:17:03:100 PM BST: Thread[https-openssl-apr-8443-exec-2,5,main]: TransactionId[6f414571-3ee2-4a8e-8920-04bf0975f0ca-1283] ERROR: ConsoleServletBase.onUncaughtException com.iplanet.jato.NavigationException: Exception encountered during forward Root cause = [java.lang.NullPointerException] at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380) at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261) at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:155) at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:113) at com.sun.identity.console.federation.FederationViewBean.handleEntityNameHrefRequest(FederationViewBean.java:858)Recent Changes
Imported AWS metadata into AM to create a remote SP entity.
Causes
The AWS metadata does not include the AuthnRequestsSigned attribute and AM returns an NPE for the missing attribute instead of setting it correctly to null.
Solution
This issue can be resolved by upgrading to AM 6.5.2 or later; you can download this from Backstage.
Workaround
You can workaround this issue by modifying the AWS metadata before importing it into AM:
- Update the AWS metadata to include the AuthnRequestsSigned attribute in the SPSSODescriptor section. You can set it to true or false as needed. For example, the revised section would look like this with it set to false: <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:webservices" validUntil="2020-03-18T00:00:00Z"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
- Re-import the metadata into AM: How do I export and import SAML2 metadata in AM (All versions)? You should now be able to view the entity provider via the AM admin UI.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENAM-14213 (Cannot view SAML SP entity imported from AWS in console)