FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML Idp Initiated Failure

    Scheduled Pinned Locked Moved
    General Discussion
    3
    7
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      utahtwo
      last edited by

      I am trying to get an Identity Provider setup to use to login to FusionAuth Admin. Specifically, I am using JumpCloud. I want to be able to use the Jump Cloud User Portal, to click on the SSO app and auto login me into FA Admin. I have everything I believe configured correctly, but when I click the link I get the error "We were unable to complete your login attempt. Please attempt the request again". Tailing the logs, yields the below stacktrace error. The funny thing is, the login works! If I visit the /admin path by editing the URL, I get the app fully logged in. The event log (debug enabled), shows a fully successful authentication. The problem seems to be the redirected URL throws the error. This is the URL "/admin/login?code=bp2p4eSm1FMWfKR_U3Jw0DJqrLgcxyLWo_SZnjCaAvs&locale=en_US&state=nnHKri9jzXMr1yrEBM7gRxNFKCh3Bsb9pTCbrOc2iDs&userState=Authenticated", if it just redirected to "/admin" I think it might work fine.

      I am using the SAML v2 IdP initiated provider. I am running FA via Docker.

      Thanks

      2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Unable to call FusionAuth Token endpoint using code [3M_9UyKtWpEsus7HWJOeApqswYTzWO7M164cMHSKNBw].
      [1/Apr/2022:17:39:00] 2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Returned Exception
      [1/Apr/2022:17:39:00] java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null
      [1/Apr/2022:17:39:00] at java.base/java.net.URLEncoder.encode(URLEncoder.java:224)
      [1/Apr/2022:17:39:00] at java.base/java.net.URLEncoder.encode(URLEncoder.java:196)
      [1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.lambda$serializeRequest$0(FormDataBodyHandler.java:63)
      [1/Apr/2022:17:39:00] at java.base/java.util.HashMap.forEach(HashMap.java:1421)
      [1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.serializeRequest(FormDataBodyHandler.java:57)
      [1/Apr/2022:17:39:00] at com.inversoft.rest.FormDataBodyHandler.setHeaders(FormDataBodyHandler.java:49)
      [1/Apr/2022:17:39:00] at com.inversoft.rest.RESTClient.go(RESTClient.java:232)
      [1/Apr/2022:17:39:00] at io.fusionauth.client.FusionAuthClient.exchangeOAuthCodeForAccessTokenUsingPKCE(FusionAuthClient.java:1600)
      [1/Apr/2022:17:39:00] at io.fusionauth.app.action.BaseOAuthCallbackAction.exchangeCodeForToken(BaseOAuthCallbackAction.java:64)
      [1/Apr/2022:17:39:00] at io.fusionauth.app.action.admin.LoginAction.get(LoginAction.java:84)
      [1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      [1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
      [1/Apr/2022:17:39:00] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      [1/Apr/2022:17:39:00] at java.base/java.lang.reflect.Method.invoke(Method.java:568)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.CORSFilter.doFilter(CORSFilter.java:262)
      [1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:49)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
      [1/Apr/2022:17:39:00] at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
      [1/Apr/2022:17:39:00] at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
      [1/Apr/2022:17:39:00] at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      [1/Apr/2022:17:39:00] at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
      [1/Apr/2022:17:39:00] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
      [1/Apr/2022:17:39:00] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
      [1/Apr/2022:17:39:00] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
      [1/Apr/2022:17:39:00] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
      [1/Apr/2022:17:39:00] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
      [1/Apr/2022:17:39:00] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
      [1/Apr/2022:17:39:00] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
      [1/Apr/2022:17:39:00] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
      [1/Apr/2022:17:39:00] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      [1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
      [1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
      [1/Apr/2022:17:39:00] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      [1/Apr/2022:17:39:00] at java.base/java.lang.Thread.run(Thread.java:833)

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @utahtwo

        Hmmm, this indicates that the authorization code grant (which happens internally during SAML logins) did not complete.

        What version of FusionAuth are you using? There was a similar bug fixed in version 1.34.1: https://github.com/FusionAuth/fusionauth-issues/issues/1606

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        robotdanR 1 Reply Last reply Reply Quote 0
        • robotdanR
          robotdan @dan
          last edited by

          @dan

          This may also be related to our usage of PKCE. I think there is a fix for this exception in the latest version of FusionAuth

          [1/Apr/2022:17:39:00] 2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Returned Exception
          [1/Apr/2022:17:39:00] java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null

          U 1 Reply Last reply Reply Quote 0
          • U
            utahtwo @robotdan
            last edited by

            @robotdan I'm using 1.35.0

            robotdanR 1 Reply Last reply Reply Quote 0
            • robotdanR
              robotdan @utahtwo
              last edited by

              @utahtwo I believe this is resolved in 1.36.0, if you can upgrade see if that solves it for you.

              https://fusionauth.io/docs/v1/tech/release-notes

              U 1 Reply Last reply Reply Quote 0
              • U
                utahtwo @robotdan
                last edited by utahtwo

                @robotdan Yep! That did the trick. 1.36 resolved my issue. I do have another quick question. Can I use the same SAML configuration to do Idp initiated and do not idp login? Right now I have 2 SAML configs, one for Idp initiated, and the other that redirects to Jump Cloud when you try to login to FA. Would be nice to have one that works for both, but maybe my configuration is the preferred way?

                Basically, I want to make it really easy to login. Login from JC user console, or go to fusion.myorg.com which sends you to JC to authenticate.

                Thanks

                robotdanR 1 Reply Last reply Reply Quote 0
                • robotdanR
                  robotdan @utahtwo
                  last edited by

                  @utahtwo Currently this requires two different configurations. We initially tried to do it all within one IdP, but each mode requires different configuration and has unique security constraints. It seemed simpler for all involved to make them separate IdP configurations.

                  If there is a use case that breaks due to this design decision, please open a GitHub issue and outline the use case so we can better understand your needs. Thanks!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post