Shibboleth Developers

[Halm Reusser <>]

On 19.11.10 09:12, Halm Reusser wrote:
> On 18.11.10 22:15, Brent Putman wrote:
>
> > Thanks for reminding me that I hadn't done this yet. :-) I just
> > checked in fixes for the 2 IdP 2.2 issues that have been reported
> > so far: 1) the slf4j MessageFormatter API change and 2) the
> > Liberty profile handler null authN engine error in the constructor.
> > If you or anyone else is in a position to test it end-to-end with
> > IdP 2.2, it would be most appreciated.
>
> Thanks, that was quick! I will deploy it next week in our test
> infrastructure. If any issue bubble up, I'll send it here to the
> list.

Ok. I deployed IdP 2.2 with idp-ext-delegation r286 on the test system
and did various tests with Valery and his ID-WSF ECP library. Everything
went well and successful.

Yesterday I deployed same software on the production system. If we did
the same test as before (which is still running on test), we get:

10:06:11.295 - INFO [Shibboleth-Access:73] -
20110105T090611Z|130.59.4.134|aai-logon.vho-switchaai.ch:443|/profile/SAML2/Redirect/SSO|
10:06:11.304 - ERROR
[edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:88]
- Error occurred while processing request
java.lang.NullPointerException: null
        at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.buildLibertSSOSEPRAttributeValue(DelegationAwareSAML2SSOProfileHandler.java:322)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.addLibertySSOSEPRAttribute(DelegationAwareSAML2SSOProfileHandler.java:294)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.decorateDelegatedAssertion(DelegationAwareSAML2SSOProfileHandler.java:278)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.ext.delegation.profile.DelegationAwareSAML2SSOProfileHandler.postProcessAssertion(DelegationAwareSAML2SSOProfileHandler.java:242)
~[shibboleth-idp-ext-delegation-1.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:264)
~[shibboleth-identityprovider-2.2.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:280)
~[shibboleth-identityprovider-2.2.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:164)
~[shibboleth-identityprovider-2.2.0.jar:na]
        at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:84)
~[shibboleth-identityprovider-2.2.0.jar:na]
        at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
~[shibboleth-common-1.2.0.jar:na]
[...]

I looked at the code (DelegationAwareSAML2SSOProfileHandler) and it
seems that XMLObjectBuilder<MetadataAbstract> abstractBuilder created by
getBuilderFactory().getBuilder(LibertyConstants.DISCO_ABSTRACT_ELEMENT_NAME)
is null (unchecked).


The only obvious difference between production and test are the loaded
metadata. Test uses some features like AttributeConsumingService etc.

Therefore I tried to load the test metadata for some specific SP before
the production metadata, same error.

Brent, the NPE looks like a bug. Do you have any hint to debug further?
If I should test something, let me know. But unfortunately I'm not able
to reproduce same error on test and I don't like to redeploy the
software on production if I'm unsure that it has some positive affect :-)

I'm able to change log levels or reload metadata file(s) as well
delegation RP configuration dynamically. Non-Delegation SSO works well.

Thanks,
-Halm