SAML Idp Initiated Failure
-
I am trying to get an Identity Provider setup to use to login to FusionAuth Admin. Specifically, I am using JumpCloud. I want to be able to use the Jump Cloud User Portal, to click on the SSO app and auto login me into FA Admin. I have everything I believe configured correctly, but when I click the link I get the error "We were unable to complete your login attempt. Please attempt the request again". Tailing the logs, yields the below stacktrace error. The funny thing is, the login works! If I visit the /admin path by editing the URL, I get the app fully logged in. The event log (debug enabled), shows a fully successful authentication. The problem seems to be the redirected URL throws the error. This is the URL "/admin/login?code=bp2p4eSm1FMWfKR_U3Jw0DJqrLgcxyLWo_SZnjCaAvs&locale=en_US&state=nnHKri9jzXMr1yrEBM7gRxNFKCh3Bsb9pTCbrOc2iDs&userState=Authenticated", if it just redirected to "/admin" I think it might work fine.
I am using the SAML v2 IdP initiated provider. I am running FA via Docker.
Thanks
2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Unable to call FusionAuth Token endpoint using code [3M_9UyKtWpEsus7HWJOeApqswYTzWO7M164cMHSKNBw].
[1/Apr/2022:17:39:00] 2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Returned Exception
[1/Apr/2022:17:39:00] java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null
[1/Apr/2022:17:39:00] at java.base/java.net.URLEncoder.encode(URLEncoder.java:224)
[1/Apr/2022:17:39:00] at java.base/java.net.URLEncoder.encode(URLEncoder.java:196)
[1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.lambda$serializeRequest$0(FormDataBodyHandler.java:63)
[1/Apr/2022:17:39:00] at java.base/java.util.HashMap.forEach(HashMap.java:1421)
[1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.serializeRequest(FormDataBodyHandler.java:57)
[1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.setHeaders(FormDataBodyHandler.java:49)
[1/Apr/2022:17:39:00] at com.inversoft.rest.RESTClient.go(RESTClient.java:232)
[1/Apr/2022:17:39:00] at io.fusionauth.client.FusionAuthClient.exchangeOAuthCodeForAccessTokenUsingPKCE(FusionAuthClient.java:1600)
[1/Apr/2022:17:39:00] at io.fusionauth.app.action.BaseOAuthCallbackAction.exchangeCodeForToken(BaseOAuthCallbackAction.java:64)
[1/Apr/2022:17:39:00] at io.fusionauth.app.action.admin.LoginAction.get(LoginAction.java:84)
[1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
[1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[1/Apr/2022:17:39:00] at java.base/java.lang.reflect.Method.invoke(Method.java:568)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.CORSFilter.doFilter(CORSFilter.java:262)
[1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:49)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
[1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
[1/Apr/2022:17:39:00] at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
[1/Apr/2022:17:39:00] at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[1/Apr/2022:17:39:00] at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
[1/Apr/2022:17:39:00] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
[1/Apr/2022:17:39:00] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
[1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
[1/Apr/2022:17:39:00] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
[1/Apr/2022:17:39:00] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
[1/Apr/2022:17:39:00] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
[1/Apr/2022:17:39:00] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
[1/Apr/2022:17:39:00] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
[1/Apr/2022:17:39:00] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
[1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
[1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[1/Apr/2022:17:39:00] at java.base/java.lang.Thread.run(Thread.java:833) -
Hmmm, this indicates that the authorization code grant (which happens internally during SAML logins) did not complete.
What version of FusionAuth are you using? There was a similar bug fixed in version 1.34.1: https://github.com/FusionAuth/fusionauth-issues/issues/1606
-
This may also be related to our usage of PKCE. I think there is a fix for this exception in the latest version of FusionAuth
[1/Apr/2022:17:39:00] 2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Returned Exception
[1/Apr/2022:17:39:00] java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null -
@robotdan I'm using 1.35.0
-
@utahtwo I believe this is resolved in 1.36.0, if you can upgrade see if that solves it for you.
-
@robotdan Yep! That did the trick. 1.36 resolved my issue. I do have another quick question. Can I use the same SAML configuration to do Idp initiated and do not idp login? Right now I have 2 SAML configs, one for Idp initiated, and the other that redirects to Jump Cloud when you try to login to FA. Would be nice to have one that works for both, but maybe my configuration is the preferred way?
Basically, I want to make it really easy to login. Login from JC user console, or go to fusion.myorg.com which sends you to JC to authenticate.
Thanks
-
@utahtwo Currently this requires two different configurations. We initially tried to do it all within one IdP, but each mode requires different configuration and has unique security constraints. It seemed simpler for all involved to make them separate IdP configurations.
If there is a use case that breaks due to this design decision, please open a GitHub issue and outline the use case so we can better understand your needs. Thanks!