Spring Security SAML HTTP Post error with OpenAM

Question

I am having an issue with the Spring Security demo by Vladimir. When I change the binding and assertion consumer service to HTTP-POST by default, I get the following error...

IDPSSOFederate.doSSOFederate: Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Cannot resolve element with ID xxxx

...as a result of an XMLSignatureException.

I have noticed that OpenAM is trying to redirect me to http://localhost:8080/SSOPOST/metaAlias/idp however in the IdP metadata it is specified as http://localhost:8080/openam/SSOPOST/metaAlias/idp.

Obviously I am getting a 404 error but I can't work out why it is redirecting me to an SSOPOST url without the application context.

Scrolling up the logs I can see an earlier getRemoteServiceURL NullPointerException but from what I have read this is part of normal OpenAM logs?

My configuration authenticates fine to OpenAM with the default SOAP settings. Why would HTTP-POST be any different?

Answer 1

Just to let everyone know, I contacted ForgeRock and worked through the issue with them. This problem is related to the following issue: https://bugster.forgerock.org/jira/browse/OPENAM-2644

It is actually a bug in OpenAM which was exposed with the latest Java update (version 1.7.0_25). The temporary solution (until OpenAM 10.2 is released) is to revert back to a previous version of Java.

Reverting to Java version 1.7.0_21 fixed the issue for me.