Layer7 API Management

  • Private Community
Back to discussions
Expand all | Collapse all

SAML Web SSO between Salesforce and Layer 7 - getting Null pointer exception

  • 1.  SAML Web SSO between Salesforce and Layer 7 - getting Null pointer exception

    Posted Jun 05, 2015 03:23 PM

    We tried to setup SAML Web SSO between Salesforce and Layer 7 Gateway based on the product documentation steps and we are encountering the null pointer exception.


    Exceptions from server log files:

    2015-06-05T18:26:03.730+0530 SEVERE  450 com.l7tech.server.SoapMessageProcessingServlet: java.lang.NullPointerException

    1. java.lang.NullPointerException

            at com.l7tech.external.assertions.samlissuer.server.ServerSamlIssuerAssertion.checkRequest(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerCompositeAssertion.iterateChildren(Unknown Source)

            at com.l7tech.server.policy.assertion.composite.ServerAllAssertion.checkRequest(Unknown Source)

            at com.l7tech.server.policy.ServerPolicy.checkRequest(Unknown Source)

            at com.l7tech.server.policy.x.call(Unknown Source)

            at com.l7tech.server.policy.x.call(Unknown Source)

            at com.l7tech.common.log.HybridDiagnosticContext.doInContext(Unknown Source)

     

    2015-06-05T18:26:03.734+0530 INFO    450 com.l7tech.server.message: Processing request for service: /connect/enterprise/federation/idpinit [/connect/enterprise/federation/idpinit]

    2015-06-05T18:26:03.734+0530 INFO    450 com.l7tech.server.policy.assertion.credential.http.ServerHttpBasic: 4104: Found user: XXXX@XX.XX

    2015-06-05T18:26:03.735+0530 INFO    450 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: User is part of Salesforce group

    2015-06-05T18:26:03.735+0530 INFO    450 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: User is valid

    2015-06-05T18:26:03.736+0530 INFO    450 com.l7tech.server.MessageProcessor: 3017: Policy evaluation for service /connect/enterprise/federation/idpinit [193e74c48159d668dcfece96e24c3220] resulted in status -1 (Undefined)

     

    The user is authenticated, but server throws Null Pointer exception and we are not able to proceed further.

     

     

    The response we received from browser is:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

    <soapenv:Body>

    <soapenv:Fault>

    <faultcode>soapenv:Server</faultcode>

    <faultstring>Error in assertion processing</faultstring>

    <faultactor>

    https://kumji01-i130947.ca.com:8443/connect/enterprise/federation/idpinit

    </faultactor>

    <detail>

    <l7:policyResult xmlns:l7="http://www.layer7tech.com/ws/policy/fault" status="java.lang.NullPointerException"/>

    </detail>

    </soapenv:Fault>

    </soapenv:Body>

    </soapenv:Envelope>

     

     

    Any pointers would be helpful.

    -Bala



  • 2.  Re: SAML Web SSO between Salesforce and Layer 7 - getting Null pointer exception

    Broadcom Employee
    Posted Jun 09, 2015 04:38 AM

    Difficult to tell without your policy.

     

    here is my sample policy

     

    Its pointing to my dev account on SFDC but will give you the idea.

     

     

    <?xml version="1.0" encoding="UTF-8"?>

    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

        <wsp:All wsp:Usage="Required">

    <L7p:AuditAssertion/>

    <L7p:HttpBasic/>

    <L7p:Authentication>

    <L7p:IdentityProviderOid longValue="-2"/>

    </L7p:Authentication>

    <L7p:CommentAssertion>

    <L7p:Comment stringValue="Feel free to plug in your own provider here"/>

    </L7p:CommentAssertion>

    <wsp:All wsp:Usage="Required">

    <L7p:SetVariable>

                    <L7p:Base64Expression stringValue="aHR0cHM6Ly9sb2dpbi5zYWxlc2ZvcmNlLmNvbQ=="/>

                    <L7p:VariableToSet stringValue="authnRequest.acsUrl"/>

    </L7p:SetVariable>

    <L7p:SetVariable>

                    <L7p:Base64Expression stringValue="aHR0cHM6Ly9zYW1sLnNhbGVzZm9yY2UuY29t"/>

                    <L7p:VariableToSet stringValue="authnRequest.issuer"/>

    </L7p:SetVariable>

    <L7p:AuditDetailAssertion>

                    <L7p:Detail stringValue="Identity Provider initiated Web SSO"/>

                    <L7p:Level stringValue="WARNING"/>

    </L7p:AuditDetailAssertion>

    <L7p:CommentAssertion>

                    <L7p:Comment stringValue="TO DO: Set the right private key for issuing SAML below"/>

    </L7p:CommentAssertion>

    <L7p:SamlIssuer>

                    <L7p:AssertionComment assertionComment="included">

                        <L7p:Properties mapValue="included">

                            <L7p:entry>

                                <L7p:key stringValue="LEFT.COMMENT"/>

                                <L7p:value stringValue="SAML Token"/>

                            </L7p:entry>

                        </L7p:Properties>

                    </L7p:AssertionComment>

                    <L7p:AttributeStatement samlAttributeInfo="included">

                        <L7p:Attributes samlAttributeElementInfoArray="included">

                            <L7p:item samlAttributeElementInfo="included">

                                <L7p:Name stringValue="ssostartpage"/>

                                <L7p:Namespace stringValue=""/>

                                <L7p:Value stringValue="http://irishman:8080/salesforce_saml2"/>

                            </L7p:item>

                        </L7p:Attributes>

                    </L7p:AttributeStatement>

                    <L7p:AudienceRestriction stringValue="${authnRequest.issuer}"/>

    <L7p:AuthenticationStatement samlAuthenticationInfo="included">

    <L7p:AuthenticationMethods stringArrayValue="included"/>

    <L7p:IncludeAuthenticationContextDeclaration booleanValue="false"/>

                    </L7p:AuthenticationStatement>

    <L7p:ConditionsNotBeforeSecondsInPast intValue="300"/>

    <L7p:ConditionsNotOnOrAfterExpirySeconds intValue="300"/>

                    <L7p:Enabled booleanValue="false"/>

                    <L7p:KeyAlias stringValue="ssl"/>

                    <L7p:NameIdentifierType nameIdentifierType="SPECIFIED"/>

                    <L7p:NameIdentifierValue stringValue="aranw@me.com"/>

                    <L7p:NameQualifier stringValue=""/>

                    <L7p:NonDefaultKeystoreId longValue="2"/>

                    <L7p:SignAssertion booleanValue="false"/>

    <L7p:SubjectConfirmationDataNotOnOrAfterExpirySeconds intValue="300"/>

    <L7p:SubjectConfirmationDataRecipient stringValue="https://login.salesforce.com"/>

    <L7p:SubjectConfirmationMethodUri stringValue="urn:oasis:names:tc:SAML:1.0:cm:bearer"/>

                    <L7p:UsesDefaultKeyStore booleanValue="false"/>

                    <L7p:Version boxedIntegerValue="2"/>

    </L7p:SamlIssuer>

    <L7p:SamlIssuer>

                    <L7p:AttributeStatement samlAttributeInfo="included">

                        <L7p:Attributes samlAttributeElementInfoArray="included">

                            <L7p:item samlAttributeElementInfo="included">

    <L7p:Name stringValue="email"/>

                                <L7p:NameFormat stringValue="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

                                <L7p:Namespace stringValue=""/>

                                <L7p:Value stringValue="${request.autheticateduser}"/>

                            </L7p:item>

                        </L7p:Attributes>

                    </L7p:AttributeStatement>

                    <L7p:AudienceRestriction stringValue="https://saml.salesforce.com"/>

    <L7p:AuthenticationStatement samlAuthenticationInfo="included">

    <L7p:AuthenticationMethods stringArrayValue="included"/>

    <L7p:IncludeAuthenticationContextDeclaration booleanValue="false"/>

                    </L7p:AuthenticationStatement>

    <L7p:ConditionsNotBeforeSecondsInPast intValue="120"/>

    <L7p:ConditionsNotOnOrAfterExpirySeconds intValue="300"/>

                    <L7p:CustomIssuerFormat stringValue="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>

    <L7p:CustomIssuerNameQualifier stringValue="ssg62.aran.com"/>

                    <L7p:NameIdentifierFormat stringValue="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

                    <L7p:NameQualifier stringValue=""/>

    <L7p:SubjectConfirmationDataAddress stringValue="test"/>

    <L7p:SubjectConfirmationDataNotOnOrAfterExpirySeconds intValue="300"/>

    <L7p:SubjectConfirmationDataRecipient stringValue="https://login.salesforce.com"/>

    <L7p:SubjectConfirmationMethodUri stringValue="urn:oasis:names:tc:SAML:1.0:cm:bearer"/>

                    <L7p:Version boxedIntegerValue="2"/>

    </L7p:SamlIssuer>

    </wsp:All>

    <L7p:SamlpResponseBuilder>

    <L7p:AddIssuer booleanValue="true"/>

    <L7p:InResponseTo stringValue="${authnRequest.Id}"/>

    <L7p:KeyAlias stringValue="ssl"/>

    <L7p:NonDefaultKeystoreId longValue="2"/>

    <L7p:OtherTargetMessageVariable stringValue="signedResponse"/>

    <L7p:ResponseAssertions stringValue="${issuedSamlAssertion}"/>

    <L7p:SignResponse booleanValue="true"/>

    <L7p:StatusDetail stringValue=""/>

    <L7p:StatusMessage stringValue=""/>

                <L7p:Target target="OTHER"/>

    <L7p:UsesDefaultKeyStore booleanValue="false"/>

    </L7p:SamlpResponseBuilder>

    <L7p:EncodeDecode>

    <L7p:SourceVariableName stringValue="signedResponse"/>

    <L7p:TargetDataType variableDataType="string"/>

    <L7p:TargetVariableName stringValue="samlResponseB64"/>

    <L7p:TransformType transformType="BASE64_ENCODE"/>

    </L7p:EncodeDecode>

    <L7p:AuditDetailAssertion>

    <L7p:Detail stringValue="${signedResponse.mainpart}"/>

    </L7p:AuditDetailAssertion>

    <wsp:OneOrMore wsp:Usage="Required">

    <wsp:All wsp:Usage="Required">

                    <L7p:ComparisonAssertion>

                        <L7p:CaseSensitive booleanValue="false"/>

                        <L7p:Expression1 stringValue="${request.http.parameter.debug}"/>

                        <L7p:Expression2 stringValue="true"/>

                        <L7p:Predicates predicates="included">

                            <L7p:item binary="included">

    <L7p:CaseSensitive booleanValue="false"/>

                                <L7p:RightValue stringValue="true"/>

                            </L7p:item>

                        </L7p:Predicates>

                    </L7p:ComparisonAssertion>

                    <L7p:HardcodedResponse>

                        <L7p:Base64ResponseBody stringValue="PEhUTUw+CiAgPEJPRFk+PCEtLSBPbmxvYWQ9ImRvY3VtZW50LmZvcm1zWzBdLnN1Ym1pdCgpIiAtLT4KICAgIDxGT1JNIE1FVEhPRD0iUE9TVCIgQUNUSU9OPSJodHRwczovL2FyYW53LWRldi1lZC5teS5zYWxlc2ZvcmNlLmNvbSAiPgogICAgICA8SU5QVVQgVFlQRT0iSElEREVOIiBOQU1FPSJTQU1MUmVzcG9uc2UiIFZBTFVFPSIke3NhbWxSZXNwb25zZUI2NH0iLz4KICAgICAgPElOUFVUIFRZUEU9IkhJRERFTiIgTkFNRT0iUmVsYXlTdGF0ZSIgVkFMVUU9Imh0dHBzOi8vbmE3LnNhbGVzZm9yY2UuY29tL2hvbWUvaG9tZS5qc3AiLz4KICAgICAgPElOUFVUIFRZUEU9IlNVQk1JVCIvPgogICAgPC9GT1JNPgoKPHA+CkJBU0U2NDogJHtzYW1sUmVzcG9uc2VCNjR9CjwvcD4KPHA+Cjx4bXA+CiR7c2lnbmVkUmVzcG9uc2UubWFpbnBhcnR9CjwveG1wPgo8L3A+CiAgPC9CT0RZPgo8L0hUTUw+Cg=="/>

                        <L7p:ResponseContentType stringValue="text/html; charset=UTF-8"/>

                    </L7p:HardcodedResponse>

    </wsp:All>

    <L7p:HardcodedResponse>

                    <L7p:Base64ResponseBody stringValue="PEhUTUw+CiAgPEJPRFkgT25sb2FkPSJkb2N1bWVudC5mb3Jtc1swXS5zdWJtaXQoKSI+CiAgICA8Rk9STSBNRVRIT0Q9IlBPU1QiIEFDVElPTj0iaHR0cHM6Ly9hcmFudy1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20gIj4KICAgICAgPElOUFVUIFRZUEU9IkhJRERFTiIgTkFNRT0iU0FNTFJlc3BvbnNlIiBWQUxVRT0iJHtzYW1sUmVzcG9uc2VCNjR9Ii8+CiAgICAgIDxJTlBVVCBUWVBFPSJISURERU4iIE5BTUU9IlJlbGF5U3RhdGUiIFZBTFVFPSJodHRwczovL25hNy5zYWxlc2ZvcmNlLmNvbS9ob21lL2hvbWUuanNwIi8+CiAgPC9CT0RZPgo8L0hUTUw+Cg=="/>

                    <L7p:ResponseContentType stringValue="text/html; charset=UTF-8"/>

    </L7p:HardcodedResponse>

    </wsp:OneOrMore>

        </wsp:All>

      </wsp:Policy>