FIM 'Unable to process the AuthnRequest message' in RSA Federated Identity Manager
3 years ago
Originally Published: 2013-07-09
Article Number
000040215
Applies To
RSA Product Set: Federated Identity Manager
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: All versions

 
Issue
FIM "Unable to process the AuthnRequest message"
FIM debug log shows the following exception:
2013-07-05 13:08:21,865, (SSOHelper.java:631), fim1, , , , Unable to process the AuthnRequest message, java.lang.NullPointerException
at com.rsa.fim.config.factory.ConfigHelper.findPartnerByTargetURL(ConfigHelper.java:620)
...
java.lang.NullPointerException
at com.rsa.fim.config.factory.ConfigHelper.findPartnerByTargetURL(ConfigHelper.java:620)

FIM system.out log shows the following:
2013-07-05 13:08:21,868, (SSOHelper.java:632), tcpaldm045, , , , SSO top-level profile exception: , java.lang.NullPointerException
at com.rsa.fim.config.factory.ConfigHelper.findPartnerByTargetURL(ConfigHelper.java:620)
...
java.lang.NullPointerException
...
2013-07-05 13:08:21,871, (OperationInfo.java:165), tcpaldm045, , , , *** Operation in progress at the time of the failure: 
2013-07-05 13:08:21,873, (OperationInfo.java:166), tcpaldm045, , , ,   Operation: SSO Profile - processAuthnRequest
2013-07-05 13:08:21,875, (OperationInfo.java:167), tcpaldm045, , , ,   IDP EntityID: null
2013-07-05 13:08:21,876, (OperationInfo.java:168), tcpaldm045, , , ,   SP EntityID: null
2013-07-05 13:08:21,878, (OperationInfo.java:169), tcpaldm045, , , ,   User: null
2013-07-05 13:08:21,880, (OperationInfo.java:170), tcpaldm045, , , ,   Host: fim1
2013-07-05 13:08:21,881, (OperationInfo.java:171), tcpaldm045, , , ,   Client IP address: 10.10.10.10
2013-07-05 13:08:21,883, (OperationInfo.java:172), tcpaldm045, , , ,   Request URI: /sso/SSO
2013-07-05 13:08:21,884, (OperationInfo.java:173), tcpaldm045, , , ,   Target URL: null
2013-07-05 13:08:21,886, (OperationInfo.java:174), tcpaldm045, , , ,   Binding URI: null
2013-07-05 13:08:21,888, (OperationInfo.java:175), tcpaldm045, , , ,   Service Location: null
2013-07-05 13:08:21,889, (OperationInfo.java:176), tcpaldm045, , , ,   Redirect URL: null
2013-07-05 13:08:21,891, (OperationInfo.java:177), tcpaldm045, , , , *** Operation information end

Before the exception occurs in the logs the FIM debug log shows an http GET operation with no querystring.
2013-07-05 13:08:21,838, (SSOService.java:52), fim1, , , , Entering : SSOService.doGet(weblogic.servlet.internal.ServletRequestImpl@2523256[
GET /sso/SSO HTTP/1.1
Cause
FIM throws this exception if a POST is made to the SSO endpoing /sso/SSO and no POST data is sent.  FIM interprets this as a GET request because there is no data.  This occurs if the IDP is protecting the /sso/SSO endpoint with RSA Access Manager.  If the HTTP POST protocol is being used the SP will attempt to POST the authnRequest to the FIM endpoint but the request is redirected to the RSA Access Manager Agent.   The Agent will authenticate the user, and then redirect the user back to the original URL /sso/SSO without the POST data.   
Resolution
The RSA Access Manager Agent does not retain POST data.  If you configure RSA Access Manager to authenticate the user by protecting the FIM endpoint, then you must use a protocol binding such as HTTP Redirect Binding that passes the authnRequest in a querystring.  Querystrings are preserved by the agent during redirection. 

Related Articles

Trending Articles

Don't see what you're looking for?