Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Idp-ext-delegation & 2.2 idp

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Idp-ext-delegation & 2.2 idp


Chronological Thread 
  • From: Halm Reusser <>
  • To:
  • Subject: Re: [Shib-Dev] Idp-ext-delegation & 2.2 idp
  • Date: Wed, 05 Jan 2011 10:47:49 +0100

On 19.11.10 09:12, Halm Reusser wrote:
On 18.11.10 22:15, Brent Putman wrote:

Thanks for reminding me that I hadn't done this yet. :-) I just
checked in fixes for the 2 IdP 2.2 issues that have been reported
so far: 1) the slf4j MessageFormatter API change and 2) the
Liberty profile handler null authN engine error in the constructor.
If you or anyone else is in a position to test it end-to-end with
IdP 2.2, it would be most appreciated.

Thanks, that was quick! I will deploy it next week in our test
infrastructure. If any issue bubble up, I'll send it here to the
list.

Ok. I deployed IdP 2.2 with idp-ext-delegation r286 on the test system
and did various tests with Valery and his ID-WSF ECP library. Everything
went well and successful.

Yesterday I deployed same software on the production system. If we did
the same test as before (which is still running on test), we get:

10:06:11.295 - INFO [Shibboleth-Access:73] -
20110105T090611Z|130.59.4.134|aai-logon.vho-switchaai.ch:443|/profile/SAML2/Redirect/SSO|
10:06:11.304 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88]
- Error occurred while processing request
java.lang.NullPointerException: null
at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.buildLibertSSOSEPRAttributeValue(DelegationAwareSAML2SSOProfileHandler.java:322)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.addLibertySSOSEPRAttribute(DelegationAwareSAML2SSOProfileHandler.java:294)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.decorateDelegatedAssertion(DelegationAwareSAML2SSOProfileHandler.java:278)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.postProcessAssertion(DelegationAwareSAML2SSOProfileHandler.java:242)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:264)
~[shibboleth-identityprovider-2.2.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:280)
~[shibboleth-identityprovider-2.2.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:164)
~[shibboleth-identityprovider-2.2.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:84)
~[shibboleth-identityprovider-2.2.0.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
~[shibboleth-common-1.2.0.jar:na]
[...]

I looked at the code (DelegationAwareSAML2SSOProfileHandler) and it
seems that XMLObjectBuilder<MetadataAbstract> abstractBuilder created by
getBuilderFactory().getBuilder(LibertyConstants.DISCO_ABSTRACT_ELEMENT_NAME)
is null (unchecked).


The only obvious difference between production and test are the loaded
metadata. Test uses some features like AttributeConsumingService etc.

Therefore I tried to load the test metadata for some specific SP before
the production metadata, same error.

Brent, the NPE looks like a bug. Do you have any hint to debug further?
If I should test something, let me know. But unfortunately I'm not able
to reproduce same error on test and I don't like to redeploy the
software on production if I'm unsure that it has some positive affect :-)

I'm able to change log levels or reload metadata file(s) as well
delegation RP configuration dynamically. Non-Delegation SSO works well.

Thanks,
-Halm





Archive powered by MHonArc 2.6.16.

Top of Page