We're currently encountering errors with a SAML2.0 integration at a client's site. We've succesfully setup the configuration for the SAML module as per the instructions mentioned in the module's documentation.
What we see is that if we navigating to /SSO/ on a laptop of one of the internal users, we get a redirect to /SSO/assertion, after which a white page appears with the text "Initializing SSO...", and nothing else happens.
In our system log we can see the following error:
Unable to validate Response, see SAMLRequest overview for detailed response. Error: null
java.lang.NullPointerException
at saml20.implementation.wrapper.MxSAMLAssertion.getNameID(MxSAMLAssertion.java:163)
at saml20.implementation.ArtifactHandler.handleSAMLResponse(ArtifactHandler.java:91)
at saml20.implementation.ArtifactHandler.handleRequest(ArtifactHandler.java:33)
at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:172)
at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40)
at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:70)
at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:67)
at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:33)
at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:73)
at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:876)
at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.handle(RuntimeHandler.java:41)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:368)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:953)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1014)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:748)Unfortunately, this is the most detailed information we can get from our logging, even with the SAML_SSO lognode set to Trace.
The IdP has been setup with "Use NameID" for the assertion, "Disable NameID policy" checked and Authentication context "Minimum (stronger than)".
For Authentication Context Classes, we have "Integrated Windows Authentication" selected. All these settings are as per the answer provided by Jasper as most commonly encountered setups in this topic.
Does anyone have a clue what's going wrong here?
Edit:
Eric, here's a sample XML response
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://<removed>/SSO/assertion" ID="_d7524249-1857-4abe-bfe6-039792ed5bc4" InResponseTo="_e162ec70-c2b9-40b6-be80-ea811e6dad9e" IssueInstant="2017-10-10T13:54:32.680Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://<removed>.com/adfs/services/trust</Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod><KeyInfo><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509IssuerSerial><ds:X509IssuerName>OU=Mendix-SP, CN=https://<removed>.mendixcloud.com</ds:X509IssuerName><ds:X509SerialNumber>1505288813085</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></KeyInfo><e:CipherData><e:CipherValue>KUNGY7xMd9rLPjD2srrwlYVCpjHskGIBRrzjm2YfxmRT0wnlyTJkZKZVHVxUpM7BkM7gPZEUjBn5Yyhhm+mTQGVtlAzCdUSUYOhsh2kQSAYtrJmlx7rtn0nfstiP9OPMtIFwoJFBs4qsFkEGzU1SmG786Prfic/X+/wDHd6wrqEQyH8FzTBKX9Ota+XqDw4NHGnKrR6HNDv9BOPigqZnL8G3+L45yo+xFmEAa1jclCTpoGnAMmHsurrqxyHR3LyaXArnzd2YMd4647o9D7BlG4nvSfTNfPeksKWD9g3LLqONFhwfpXnD3np4BE5YJ5vVHND5U1ZL+Q4usxtcBqT7vw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>E5DRlubcQL7gp+rIJJkozg1+eoNy3kUy5gpneHnw6zZN/fQ1LUIxQbkN41XFikWc1q7seZlsKSLqsMsXttTpxNcmNg362GSkgE7zUAqv5jE6ZbgT/jlk0u5+kHA6T01nCe9qD49mwouRQOoJz9rMYB9MZ2Xj+zOxH6vOVoIs2Wes5uMfTlEQWCQsqpU2J6XkZ8NqkZ2YoSZKiTWoX/qAL5qdVkJtDWe9ZLYl/us0HktjpmW2Gqm25diWNIGzjA+++uaPjDtv1bmql8vXNb1fKeM9thShOmH9hM1pbLBQXRwIeguK7wjNiCsSBe6i2Ihwz4xOBSwRhlOhkbvtWa4lH1PsjvppRagGpC1FtSUdeoduvZ5lfZeFq3TuyJPn+d+/4U4YYJzU1wlUAtQPifwphuGE1vxTsDF/UsSTTcGk7G/aEw4JjOX+LtjPvV5K0scPtFgSKgkbn933B0eG/goKWDP+QOCV/lMokE69iV5HYAZjYyTTTajl8UOqMBoYwwu8sNtkCkhqNabkUQSllMf1Cet1BjdxeVCtGuVyHwuh1ftnxhmY3wXvFd123nmlqbFjraF/oql1yWGQe4P8rD5oYYrwqAh/JnC/iRjaSD+EOcuy4oeTkB26D4pEps35GPgaw8BvHtFzUtNhdsNQ1LcDzAG68pt3EWt7j8GH2E38mqjw3m5xO9yjKBMEOlPmGDuFTenzbk02OlTikwAJ4/V/PZaa8sUkYCmoR3baW3KSoZ+o+rOkZbeTMqLBvFFxK9n5SFYzdbzTnWs9g/Wb6rzLBnGKDBxBBuUc2a+nJIy0UFFo0n06xJFO5VDBrObFpWjAktamjoFmqKDr0JBVtzaMeOefhrgPpfvQXxMDT7a+RYO9wh+bKhw3DHq0ksMGG4NiTQAOoDwonoH+tEfMyUlHY4Mf9r44f+LmEhm9szUmlsCJ8RwrehoypLMjTJpvlWAxg1UwXmrwugrsDJ2ufrEEW+mO53/bYh2LEc9Kx9zOgTVNlQQqiTYZCQFP6xWjFj7owaaSYPhI90duNHt5QABye8DclgYxQJwrVPWTPHLJoLTfXlfbFy048HN40UM1sVt3N8AXr0oFVaaC5AcqQW4csbqI4R4pP0J0tvBKxc1caGKKsxHbUqQW7YcsRxu4uYoJcKUZMAPOLIt1QzjpxAyKLWmzS2zzqizNLSb3GDy08vgEqWXy2ZMTyMpC5I3UtYPMWr19+lkE3yZakUdKq3FucHQmZV/QhOUQ0GAFVkGMZ12inJhVbUkXeS6Np5+tIXER9bDlPflKcWFYJS0SX5iOuzL2nekkM7gRj33vac5D3jplqG63aEwG9n4bTWu0HNerrbzF/LWMCDTCQV/0jRiT3pmux13DI8Z8OXrjCZmvEvcLQsRYFBlKQ3NgLjrGtBgsy6qiM4ktxkI4mJiCzhs7tCDBCa+EJkKFEpOWYjgoL54D3Jc+6UMyZhNLZEmrJSKa3m9X7dg9qgu87JU1ZwbEqFo3Zkzgi3/rxzLGD3qbgijQFIYo5tT2S511Mqgu4Nsr4+fZ4pyzzJFzGLrJJcOUde0moYgJpbYICZ8LLfPx0BUF6Fg5C6EY0HaJdE8PaNjEj1v5CKckPMYhZqFK9GWN4AcufR+BHnNNcJgKCR6vq3ZOmybCwLHXDMVf5y3LyimHVy1BYIRC5QNP3gDVkkpG/c5LLQB9yvM3Cq9Xyw1Tm+UASDhU/z6La4zUJO0polhgK5qg8BRY8nZ1sd3GFF/YJcj5diz2OI6Um4XLh344frUaN3ZnfcF3FsxGLJCJMIwk6zB08cEA8BGlXvMdrYMJButr32hd2LDVdD9UQOm9nQ8eXZe7IaAp4aU3SRxFM3W6BllnK1jmCyT749XbBK3FVoyx/pdclg7Pu6w1BrOeh9Oum3lawU6f+k76/X5uj+kTNHwlUoYZVvlfJCP4oV6zogVl45cM9bwhzvpYKzt0IMQU/0eeJjSSCoEKgExhM1UUBthhm7jf/Qy3Gq8oMURVrQHCVFpukLqJnQDuTiR68Tt3lN8dwp4+Kd0ZBXrTl3k9qKeJnI7g0GlrwIX6xJDQhN0fuzoac4SG4gixZxcZl8lnXICkSHK4VSjJ3aohESlk4uhdgiHIhN6eVNrd65uOQFyzFrUEcjEeVBm6BINFe1q3s/66SLdw+Dy57VCWqWvk5Iq4mgBbV+Qxp0SlQbSKVQBChK01tnjNCYdDYNCCLvSyIhjIc1dBbGx9MeuLCfFBQq4eM3gxMrZMNBE0qMp8i674RYgDUgliwk1fYQJpf88/WjNejYEI98YcQb435pU4cY3rht7LL7+8/SkXt7RItE0d+R/TuaQCMhq4E/aItKhTvpoNKYxDX+Jh7EjQlCAdTTigHecHusvBVbtXY/dM/f0f+oOGdj83Z+R0pTsFVCsDg+or7Cs797jVclZ6dqkag1JchqqqnZcWvs8waWhyBjihZjlO7wLNX30WCAMfLxRtRownzmx/a0H4UVlNAeQO4hnqB36ffO+o0iMiJOlcZzxHxI6q8wtkDS4ofwSd8uoidMWzSFtq3kVoJYvrFfxuiLC+RY1izdDNIhmgEAoscbKLRNdRRY9G3VwWlgBAGZGbZ09PcPMeWRqQb5zbWxeB9OBfNQTlHa14++KDjpWf/4tevx9IgJ/qQxS2cPiZDz+mIwD8IfGCBq+mGKQyEpA1hxY+zhgjGQ7CKWUJhxuljeRQyP2we5fBBr1aJ2pFSqI3FNfCVPl8l424SFge5sDKzFPp42Zh5JiaT7K8Kt52cFAQZx2oiJUS2YFF0tquAJgejOagpxbhQjMqQ6fd2Rl/dZ9+tQPpiigbWZIhECCmC9FGkSDai7RCWe+A9Buro88xAUP0+E6U3cQTkm4/lJnPjg+nNspr4QYYDqKQUB3IQU6z/XS4gF7Pj8TAVdK+w7AOJiXFDPa15I6PGJmk36ydfev607ogKoBstn4x3Jk147nUk/5wRR9JL1kQ7PLj5svrE8W65wUryTqPl747DS5XPoMFwe4KOWW5rLmOU/UBEI+sCN9qVL+tMj2g5gghOOhxh0rC5yEbuNqA957QdhMEemZSZrJfv5Y229tHq63PGrax81ZWlq7cjtOaDyQpP2Z8uD5hCZr5vCLjEnxQ/MCd7GR3cvsL/QMcg40kPu9BhJU2tYZx0FTBVzgXx1s0epgnWRp1ehy1/cTRbuwSE9p8aTTY5G661sP8d5WwohM+ijcxLcCTEJjaIPS/mB9g4tFfVDreN8HRDVhF1iKsj9AtfIHCGMvRsSLJ/jT7eUuN9pTD9nwTLxDmTXg1YrtEz7HS9scmhImPmkA3EbcKSZ7ettf2L0HakeAJ18hJCH8g/jODz3uWV2XHNoD2+6rMUqhI5sf8trolMYbEvOg/SGb8gxwDNYmsOZJ3HaeKv4W8Y69VRZYaqkB7E5wlWM3PXdaHj0UOOd23IjEiFQ3yvuzFi624NrUFQbijXdCZ93PjxplYgqga/jkMsNj84VcKCgY5Rx+RUOeFB76ZejU/msuHl4We96M8o2IgbuMP93khLl8qEHZ5XM370tDhgAobfI5nt283kdWnj4EoAIrKQT1kv09o72WZdG9TPd5HfRrj3PCi6Qo1KadAhzdW422iQbFymG33KPBWUuTrTv7tHST6p+48AwvUdwzdXX56Cv3Qc5N6cPsDqeEo4SPJ0LkIiM4SDrjVeMOVK5iU0bDgKqLA/3Yqn8WA9IqX4jfZAhdVfCqTgYvIgS7Fm9sR6wkQp8BUwxW7uIAit2X0/3S3SABz82TBOQu90AlMl+gk+FlM6Em3kVSgptB32YUxi14fTYv7CvDKZhARtuiWjRf25P18z1tlt1htQqOqKdzIH7Q+wor7o6JToUutP33JzLvtPuXjVpufuhg23MIfu5UBpfRizN8RQuhwpe/TTqxNqyZC8Mgpu7sPRMnPAfO1cIxwt5TrWyEmrlbCdKBmNpHCy7AIzxyPBMUr3LIwU7yWRzmzdyy9tPyGIt663rdDrl8lfzUI0PhINwA5X7e8VYxxRXicWyxvF/mW8ej252n6+MyeKKnor9+sEw4MU2jA/14IKaVb0jzci+av8DNZKv+62JhJAykn3byKqcR097VW30/0qw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></EncryptedAssertion><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fff4e95b-c717-4482-a20f-f92c964a20b8" IssueInstant="2017-10-10T13:54:32.680Z" Version="2.0"><Issuer>http://<removed>.com/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_fff4e95b-c717-4482-a20f-f92c964a20b8"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>NzCYuCWFGEZDs7UmcE2cfi2oBTBK4D2Bub4LeYxv2m0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Dx/c6JJisNJvZqkL85qehNeHhI7zfVmKpzKeaQnF6fNdzsoGtTY288Gn34q4ZOrp5mPHefhm2MDEbt7iTsVAVnX0r3zNLMM/L2bzvcMglTED6ijhQPkjts3znxey7C6VfgXxSWS0MCruktZHfiufRdVB36QE2g6IgEYyI3LK7c8+N4EUZ/1ynqpU6/2bmS2crJJJXLCxlHRzf8W+mg5/B88nEYFeNV+6xtlIqryaC/fE3atYDY6jMd+fa2/D0sFnK7+JClboYWKIMK57FRlOUppPfdOmVS6btf944WQF/wRsUrbtsP8iJaNYTXJu6TBavqC5K5OYKRBpbDFal8pVuw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC1jCCAb6gAwIBAgIQSwCXYD0MfaZNTa6pN/SbtTANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBzdHMuc3RpaG8uY29tMB4XDTE3MTAxMDEwMDY0MloXDTE4MTAxMDEwMDY0MlowJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gc3RzLnN0aWhvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtm7kj3HEsGNBoErF3vAn6fr/y4DrYYzn3xdaIahfS+EAH2wedbW3qwNPajWqk9CxEkiDgw28jGEFUDxV4a57o/rCHhZKjKqNyOp+hcLAw8qRaNRpDohcA2LyCjcK/ZyMSzp9njr2rybasAwHDvzyr6dIVBRC5bCykyLHPbFjeUpbI0gvChwWmjxb1zNPrGdjnG+vq2ugzbJu9cJMEr4Yc1MljP+qu23BpfuGZG/D6CdH9H242Nhj+FUcRw2XxdsCFJQYUD93+3nAOmZ7nxVeP8mKwqYgpQCrUMJk7OSG7ajF/Ga4Nsnc+5f3Kon1it0EPKoXGA9lWyoNyQXzPUAAMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGHI6Ag/GXgEAgRZ52E8eDdxUVL+UD1r26HNx8R6tdltb5KErQAKAFBNdr1IFCImXcJe9xLuRJ4Itbq3LfG0EtIQ10HfKNnlNWx5eBpOrgB9imje9pKxgffI99jAijmkZoHVctp0NhT94NhyAYd0bfl/xgqzVGS0k/ekTyXzUSOyJWTliHxCY4b1wrG+kz2VDvqCWD6jj6oGU7/iBfd/ynscGSKlTFxVeky70142JgMT5vcEprx8yIygIAQHXK74+mCVEqFSVrqUhQzaVuB9hSxPVBBaE4ckMN0mqzqjfPYeH/ECPpeWT39bvFvSdMDNqBjKoN5LOAZSpbXxfBHe5kw==</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_e162ec70-c2b9-40b6-be80-ea811e6dad9e" NotOnOrAfter="2017-10-10T13:59:32.680Z" Recipient="https://<removed>.mendixcloud.com/SSO/assertion"/></SubjectConfirmation></Subject><Conditions NotBefore="2017-10-10T13:54:32.649Z" NotOnOrAfter="2017-10-10T14:54:32.649Z"><AudienceRestriction><Audience>https://<removed>.mendixcloud.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2017-10-10T13:54:32.616Z"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>