Announcement Announcement Module
No announcement yet.
integrating sam2-sample with an OpenAM IdP Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • integrating sam2-sample with an OpenAM IdP

    Hi there,

    Has anyone out there experienced success extending the saml2-sample so that it communicates with an OpenAM Identify Provider?

    I've followed steps that were similar to the SSO Circle IdP quick start section of the "Spring Security SAML Extension - Reference Documentation" [saml2-doc/SpringSecurity SAML - documentation 3.0.pdf]

    My current blocker is that login (from the sample app) leads to a 500 error on the OpenAM server. The underlying exception is:

    libSAML2:01/26/2013 08:41:07:939 AM UTC: Thread[http-8080-5,5,main]
    ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Unable to generate NameID value.
    at com.sun.identity.saml2.plugins.DefaultIDPAccountMa pper.getNameID(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getSubje ct(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getAsser tion(
    at com.sun.identity.saml2.profile.IDPSSOUtil.getRespo nse(
    at com.sun.identity.saml2.profile.IDPSSOUtil.sendResp onseToACS(
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(
    at com.sun.identity.saml2.profile.IDPSSOFederate.doSS OFederate(
    at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspSe rvice(

    Of course, it's quite possible that the problem lies in my OpenAM configuration. I will be grateful for any ideas.

    Thank you,
    Last edited by cailie; Jan 26th, 2013, 08:38 PM.

  • #2

    OpenAM is probably trying to generate a Name ID (identifier of the user returned in the SAML Assertion) from the user's e-mail address, but e-mail is missing in the user's profile. Just add an e-mail to the account you're authenticating with and error should disappear. The other option is to change NameID which your SP requests from OpenAM. To do this modify bean WebSSOProfileOptions inside samlEntryPoint by adding property nameID with e.g. value "urn:oasis:names:tc:SAML:2.0:nameid-formatersistent". Some details about this can be found in chapter 4.7 of the manual.

    Vladimír Schäfer


    • #3

      Hi Vladimír,

      You are right! The authenticated user had no email address configured. To fix this, I went to the "Subjects" tab of the OpenAM admin GUI, and entered an email address in that user's profile.

      Now the saml2-sample login action succeeds.

      Thank you very much!