urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified requires SP Attribute map to federate the user #6
Description
When SAML2 Node is confiured with NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, the mapped attribute to this nameID, must be included in the SP Attribute mapping (i.e. AttributeStatement in the Assertion).
How to reproduce:
- Configure an AM 6.5 as IDP. In the NameID value map, configure urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid
- Configure an AM 6.5 as SP (adjust the Assertion Consumer Service URLs with the Auth prefix)
- Configre an SAML Authentication tree and specify the nameID format as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- Run the flow. After authenticating in IDP, you'll get a 'Login Failure' in the SP with NPE:
Caused by: java.lang.NullPointerException
at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.setupAttributes(SAML2Node.java:525)
at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.handleReturnFromRedirect(SAML2Node.java:470)
at org.forgerock.openam.auth.nodes.SAML2Node.SAML2Node.process(SAML2Node.java:258)
at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
(the stacktrace may be a little different depending on the version of the node you've built, but it should be coming from the #setupAttributes).
As a workaround, you can request the federated attribute to be also included as an attribute in the assertion. In both hosted/remote SP, update the SP attribute mapping accordingly e.g. uid=uid
Note, this is not happening when using the SAML module or AM 7 SAML node.