WLS SAML2 Throws IndexOutOfBounds When Using Encrypted Assertions (Doc ID 1382252.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle Weblogic Server - Version: 10.3.2 and later   [Release: and later ]
Information in this document applies to any platform.

Symptoms

Using Weblogic as a SAML2 Service Provider or SP along with a third-party SAML2 Identity Provider (IDP) authentication provider does not work when using encrypted assertions.

The IDP logs may show that the authentication was successful: it redirects the user to the right URL with the specified attributes. However, WLS fails to consume the message and throws a 500 Internal Server error along with an IndexOutOfBoundsException in the managed server log file. The error typically looks like this:

2011-09-29 22:45:22,255 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG org.opensaml.common.impl.AbstractSAMLObjectUnmarshaller- Ignoring unknown element {urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion
Sep 29, 2011 10:45:22 PM EEST Debug SecuritySAML2Service BEA-000000 index: 0
Sep 29, 2011 10:45:22 PM EEST Debug SecuritySAML2Service BEA-000000 exception info
java.lang.IndexOutOfBoundsException: index: 0

####Jan 28, 2011 10:06:16 AM UTC Debug SecuritySAML2Service aaa.bbb.ccc.ddd AdminServer [ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)' WLS Kernel 1296209176501 BEA-000000 exception info
java.lang.IndexOutOfBoundsException: index: 0
at javolution.util.FastList.get(Unknown Source)
at org.opensaml.xml.util.XMLObjectChildrenList.get(XMLObjectChildrenList.java:97)
at org.opensaml.xml.util.XMLObjectChildrenList.get(XMLObjectChildrenList.java:32)
at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.assertIdentity(AssertionConsumerServiceImpl.java:229)
at com.bea.security.saml2.service.acs.AssertionConsumerServiceImpl.process(AssertionConsumerServiceImpl.java:123)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy31.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Everything works fine and SAML2 authentication process is completed when encrypted assertions are not used, i.e, are explicitly disabled from within the third-party SP.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms