Wednesday, September 24, 2014

oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion

In this scenario, we have two OIF 11.1.1.7.0 servers set up on serverA acting as an IdP and serverB acting as an SP.

Start federation by going to the SP as follows:
http://10.10.107.100:7777/fed/user/testspsso

On the Initiate Federation SSO page, click Start SSO.

This directs the page to the IdP at:
http://serverA:7777/fed/idp/samlv20

On the login screen, enter a username and password that exists in the IdP:

Click Sign In.  The following error is shown on the web page:

 Error 500--Internal Server Error

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:


10.5.1 500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

And on the server hosting the OIF SP services, the wls_oif1-diagnostic.log shows the following:

[2014-09-24T15:48:57.688-04:00] [wls_oif1] [ERROR] [FED-15011] [oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0050xJtWyGm5Yb^pxSt1iW0000jy0000E2,0:1] [APP: OIF#11.1.1.2.0] [URI: /fed/sp/authnResponse20] Cannot find the authentication request associated with the assertion.
[2014-09-24T15:48:57.692-04:00] [wls_oif1] [ERROR] [FED-12064] [oracle.security.fed.controller.ActionStateMachine] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0050xJtWyGm5Yb^pxSt1iW0000jy0000E2,0:1] [APP: OIF#11.1.1.2.0] [URI: /fed/sp/authnResponse20] Exception: {0}[[
oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion
        at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.checkSubjectConfirmation(Saml20AssertionProcessor.java:1178)
        at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.processAssertion(Saml20AssertionProcessor.java:333)
        at oracle.security.fed.eventhandler.profiles.sp.sso.v20.ProcessResponseEventHandler.perform(ProcessResponseEventHandler.java:233)
        at oracle.security.fed.controller.ActionStateMachine.processEvent(ActionStateMachine.java:141)
        at oracle.security.fed.controller.EventControllerImpl.processEvent(EventControllerImpl.java:118)
        at oracle.security.fed.controller.ApplicationController.publishEvent(ApplicationController.java:425)
        at oracle.security.fed.controller.web.action.RequestHandlerContext.publishEvent(RequestHandlerContext.java:48)
        at oracle.security.fed.controller.web.action.RequestHandlerSupport.perform(RequestHandlerSupport.java:15)
        at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:321)
        at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:151)
        at oracle.security.fed.controller.web.servlet.FederationServlet.doPost(FederationServlet.java:98)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
        at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
        at java.security.AccessController.doPrivileged(Native Method)
        at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
        at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
        at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
        at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
        at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

]]

The main error being "oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion".  This has to with the how the JSESSIONID is set by the IdP and transferred to the SP.  According to Oracle Support Doc ID: 1067769.1 amongst other things, make sure that all access to the OIF use FQDN.

Once the request http://10.10.107.100:7777/fed/user/testspsso was changed to http://serverB:7777/fed/user/testpsso, everything worked as shown below:


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)