SungHoon_Kim

SAML 2.0 Assertion received and throwing exception.

Blog Post created by SungHoon_Kim Employee on May 22, 2016

Use case:

 

SiteMinder is Service Provider.

After receiving the assertion, there is an exception in the FWSTrace.log as below.

Obviously, the user cannot federate.

 

FWSTrace.log

[05/23/2016][09:38:30.310][8808][3708316560][Saml2Validator.java][saveSAMLData][3a195307-4c90cb16-22c35e7e-355ef50c-70d3cbe3-01c][][][][][][][][][][][][][][][][][][][][Exception:

java.lang.ArrayIndexOutOfBoundsException: 0

at com.netegrity.util.SAMLData.toString(SAMLData.java:654)

at com.netegrity.ps.auth.saml.Saml2Validator.saveSAMLData(Saml2Validator.java:346)

at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Saml2Validator.java:1193)

at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(SamlValidator.java:379)

 

The above exception is occurring while processing the Attributes in the Assertion.

SAMLData.java:654 is where it was trying to parse the elements for <Attributes> and as it was not able to find some information it throws this exception.

 

The <Attributes> contain several attributes and its values.

At times, the attribute may have empty values and it can be normal.

But it needs to be conveyed correctly otherwise it can cause this type of exceptions.

 

Sample as below.

Sample SAML Response

<Response>

    <Assertion>

    ...

        <AttributeStatement>

           <Attribute Name="abc">

               <AttributeValue>xyz</AttributeValue>

           </Attribute>

           <Attribute Name="def"></Attribute>

        </AttributeStatement>

    </Attribute>

</Response>

  

 

When IDP side was generating the SAML Response, for the "def" attribute it returned a null value so it has generated accordingly.

But It should have been <Attribute Name="def"><AttributeValue></AttributeValue></Attribute>, not <Attribute Name="def"></Attribute>.

 

So, in this case, this exception is an expected behavior.

Outcomes