There was an Exception doing the forward/redirect error and SAML2 authentication fails when redirecting with a SAML2 JSP page in OpenAM 13.0
The purpose of this article is to provide assistance if you see the following "ERROR: LoginViewBean.forwardTo(): There was an Exception doing the forward/redirect org.apache.jasper.JasperException: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String" and SAML2 authentication fails when redirecting with a SAML2 JSP page (such as a SP initiated SSO) in OpenAM 13.0. This issue only affects redirects that include the realm or where you are using a realm DNS alias.
1 reader recommends this article
This article has been archived and is no longer maintained by ForgeRock.
The following error is shown in the browser when SAML authentication fails:An internal authentication error has occurred.
The following error is shown in the Authentication debug log:amLoginViewBean:10/06/2016 14:57:01:782 PM GMT: Thread[catalina-exec-11,5,main]: TransactionId[b390ea18-c60b-4e13-acc0-a81aeb7e809d-51] ERROR: LoginViewBean.forwardTo(): There was an Exception doing the forward/redirect org.apache.jasper.JasperException: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:555) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ... Caused by: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String
Upgraded to, or installed OpenAM 13.0.
Recent changes to the SAML2 JSP pages that included a new call to retrieve the realm caused a mismatch in what was sent versus what was expected. These changes caused authentication to fail in this way when redirecting with a SAML2 JSP page that included a realm parameter or a realm DNS alias is used.
This issue can be resolved by upgrading to OpenAM 13.5 or later; you can download this version from BackStage.
Related Issue Tracker IDs
OPENAM-8351 (SAML2 JSP pages making use of the SAML2Auditor are calling the SAML2Utils.getRealm with an incorrect Map structure)
OPENAM-8192 (spSSOInit with IDP proxy gives null pointer exception)
OPENAM-8971 (currentGoto : null is received in XUI when a realm dns is being used for Federation and authentication is done via wdsso/kerberos auth module)