FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML logout request causing 500 error in FusionAuth

    Scheduled Pinned Locked Moved
    General Discussion
    2
    2
    300
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chk543
      last edited by

      I am extremely new to SAML so please forgive me if I use the wrong terminology. I am using FusionAuth 1.30.2 as a SAML IDP and running into issues where FusionAuth generates a 500 Internal Server Error when it receives the logout request. Does FusionAuth expect the logout request to be a specific format?

      My SP is using the following logout request template, but I have no idea if this is correct.

      <samlp:LogoutRequest
      xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
      ID="id%%RANDOM_ID_HEX_32%%" Version="2.0" IssueInstant="%%NOW_WITH_MS%%" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{{IDP_APP_ID}}</Issuer>
      <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">%%NAME_ID%%</NameID>
      samlp:SessionIndex%%SESSION_INDEX%%</samlp:SessionIndex>
      </samlp:LogoutRequest>

      {{IDP_APP_ID}} corresponds to the Issuer field I have configured in FusionAuth

      Error from FusionAuth docker container logs

      2021-10-31 6:21:54.535 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
      java.lang.NullPointerException: null
      at java.base/java.util.Objects.requireNonNull(Objects.java:222)
      at java.base/java.util.ImmutableCollections$AbstractImmutableList.indexOf(ImmutableCollections.java:166)
      at java.base/java.util.ImmutableCollections$AbstractImmutableList.contains(ImmutableCollections.java:197)
      at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateRequest(DefaultSAMLv2ProviderService.java:468)
      at io.fusionauth.api.service.samlv2.DefaultSAMLv2ProviderService.validateLogoutRequest(DefaultSAMLv2ProviderService.java:415)
      at io.fusionauth.app.action.samlv2.logout.CompleteAction.lambda$post$0(CompleteAction.java:46)
      at io.fusionauth.app.action.samlv2.BaseSAMLAction.handleSAMLException(BaseSAMLAction.java:114)
      at io.fusionauth.app.action.samlv2.logout.CompleteAction.post(CompleteAction.java:40)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:564)
      at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
      at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
      at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:51)
      at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
      at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
      at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
      at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
      at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
      at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
      at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
      at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
      at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
      at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.base/java.lang.Thread.run(Thread.java:832)

      FusionAuth Event Log

      Incoming SAML v2 LogoutRequest.

      Binding:
      urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

      Deflated and encoded request:
      lZFBS8QwEIXv/RUl9+4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7+4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv+XmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d/xPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba/hBMvtRv32uSDw==

      Decoded XML request:
      <?xml version="1.0" encoding="UTF-8"?><samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="id8886a167f86144c665563c25bc425dad" Version="2.0" IssueInstant="2021-10-31T06:21:52.000Z">

      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">hapee</Issuer>

      <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">none@example.com</NameID>

      samlp:SessionIndexdc560f2b-2dc9-43ec-a212-65e41127acac</samlp:SessionIndex>

      </samlp:LogoutRequest>

      SP debug logs

      1635661312.256012 [00] generated random id: 8886a167f86144c665563c25bc425dad
      1635661312.256031 [00] We will send this LogoutRequest to the IDP:
      <samlp:LogoutRequest
      xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
      ID="id8886a167f86144c665563c25bc425dad" Version="2.0" IssueInstant="2021-10-31T06:21:52.000Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">hapee</Issuer>
      <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">none@example.com</NameID>
      samlp:SessionIndexdc560f2b-2dc9-43ec-a212-65e41127acac</samlp:SessionIndex>
      </samlp:LogoutRequest>

      1635661312.256088 [00] Checking ID: flags=0x11 expecting (null) (xpath=/samlp:LogoutRequest/@ID)
      1635661312.256111 [00] Checking node 0x7f79947809e0 ID (0/1): name=ID value=id8886a167f86144c665563c25bc425dad attr_type=1 expect=(null). ret=0
      1635661312.256119 [00] Checking ID: nb_nodes_total=1
      1635661312.256123 [00] LogoutRequest ID: id8886a167f86144c665563c25bc425dad
      1635661312.256207 [00] request: deflated+base64+urlencoded: lZFBS8QwEIXv%2fRUl9%2b4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7%2b4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv%2bXmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d%2fxPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba%2fhBMvtRv32uSDw%3d%3d
      1635661312.256223 [00] Redirecting to idp_logout_url page http://192.168.0.250:9011/samlv2/logout/37a61d5c-67d5-3395-8cb7-f1d779f2ceef?SAMLRequest=lZFBS8QwEIXv%2FRUl9%2B4maZOtoS0KeymsHlzx4G02mdVCm9ROCvvzrV08CCJ6fbz38eZNRTD0ozmE1zDHR3yfkWJyGXpPNZsnbwJQR8bDgGSiNce7%2B4ORG24GjOAgAkvafc06V5alBqF351KLorBaK6VzK9XJFlI5cCx9xom64Gu2xFnaEs3Yeorg4yJxKTLBs1w8cW2kMGoxcf7C0rWKWUv%2BXmicQgw29KxJ0rRa8VP6h0OACKe4FGPNG4yI1faaXTEPi73d%2FxPjg8dbvMAw9rixYai2V8xKvM59RPrcovUOL42zSvOzPGXS2ZusyNFmIIXMtMJCCLkDC7ba%2FhBMvtRv32uSDw%3D%3D

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @chk543
        last edited by

        @chk543

        Did you end up solving this?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post