FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML error 500 (version 1.7.4)

    Scheduled Pinned Locked Moved
    Q&A
    3
    9
    3.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmarin
      last edited by

      Hello. I started using docker FusionAuth v 1.6.1 with OAuth. Then tried to use FusionAuth as IdP with SAML it not worked. Metadata was wrong.
      After reading a lot about it I upgraded step by step to v 1.7.4 which is supposed to has some bug fixed about it. The service provider uptaded our new metadata and it worked, but, during SAML authentication process FusionAuth shows an error 500 (internal server error).

      The logs I can see in FA is:

      PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
	at io.fusionauth.samlv2.service.DefaultSAMLv2Service.parseRequest(DefaultSAMLv2Service.java:471)
	at io.fusionauth.app.action.samlv2.LoginAction.get(LoginAction.java:92)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:436)
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:84)
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:64)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91)
	at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
	at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
	at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84)
	at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

      The parameters I can see in the last call the browser does before obtaining the error are:
      SAMLRequest, RelayState, SigAlg, and Signature.

      Y have tried allmost everything; but I can not make it work.

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by dan

        Hi,

        The latest version of FusionAuth is 1.17.0. 1.7.4 is quite a few versions behind. Can you go through the upgrade steps in the release notes? Or perhaps test with a separate server to see if 1.17.0 works with the SAML SP you need?

        Which SP are you trying to use FusionAuth as the IdP for?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        J 1 Reply Last reply Reply Quote 0
        • J
          jmarin @dan
          last edited by

          Hello @dan,
          I plan to upgrade to the latest version in a near future. I already tried upgrading in testing environment but it was unsuccessful to continue ahead version 1.7.4 because upgrade errors (I have to review this later), and I have to be sure before doing it in production environment. Anyway it is supposed version 1.7.4 has the SAML bugs fixed, as I didn't find anything more related to SAML on release notes after that version.

          I don't fully understand the SAML integration process with FusionAuth, because I couldn't find a place to upload the SP metadata into FusionAuth (and I'm not sure if I have to do that).

          The SP is Rosetta Stone (https://www.rosettastone.com/)

          0bf689ec-c8fc-4422-898b-aa343186d191-imagen.png

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            Hmmm.

            The SAML metadata goes into the "SAML" tab of your application. Here's an example with Zendesk: https://fusionauth.io/docs/v1/tech/samlv2/zendesk

            I see you have excerpted that tab. Is there metadata that doesn't fit there?

            If you are looking to modify metadada on a user by user basis, you probably want the reconciliation lambda, documented here: https://fusionauth.io/docs/v1/tech/lambdas/samlv2-response-reconcile

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • robotdanR
              robotdan
              last edited by

              @jmarin the fix you're looking for is was in FusionAuth version 1.11.0, if you upgrade to version 1.11.0 or later this issues should be resolved. https://fusionauth.io/docs/v1/tech/release-notes#version-1-11-0

              J 1 Reply Last reply Reply Quote 1
              • J
                jmarin @robotdan
                last edited by jmarin

                @dan, the SP provider sent me their metadata as an xml file, and I didn't find how to import it to FusionAuth. I already did read documentation and it is not clear to me what lambda are and how it work.

                @robotdan, I will try upgrading to version 1.11.0 or the latest one if it is possible. Just, in my tests, upgrade from 1.7.4 to 1.8.0 RC1 failed. I'm using docker and was upgrading one next version at time to allow db migration the right way, as I understand. I need to find how to do it.

                Thanks you both

                1 Reply Last reply Reply Quote 2
                • danD
                  dan
                  last edited by

                  @jmarin Ah, we don't handle direct import from XML of SAML metadata. You'll need to consult their docs and map what is in the file into the settings in the SAML tab. Please feel free to post a question here if there are difficulties.

                  --
                  FusionAuth - Auth for devs, built by devs.
                  https://fusionauth.io

                  J 1 Reply Last reply Reply Quote 1
                  • J
                    jmarin @dan
                    last edited by

                    @dan I already did that at first instance, but there is a lot more metadata to include.

                    danD 1 Reply Last reply Reply Quote 0
                    • danD
                      dan @jmarin
                      last edited by

                      @jmarin Interesting. What instructions are you working off of from Rosetta Stone?

                      --
                      FusionAuth - Auth for devs, built by devs.
                      https://fusionauth.io

                      1 Reply Last reply Reply Quote 0
                      • F fred.fred referenced this topic on
                      • First post
                        Last post