OpenAM and ArcGIS

Question

I would like to log to my Arcgis Portal with Open AM. I have follow the arcgis documentation : http://doc.arcgis.com/en/arcgis-online/reference/configure-openam.htm when the SSORedirect i have the folling error :

    libSAML2:11/14/2014 05:14:52:570 PM CET: Thread[http-8080-1,5,main]
    **********************************************
    libSAML2:11/14/2014 05:14:52:569 PM CET: Thread[http-8080-1,5,main]
    ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: Impossible de générer une valeur NameID.
        at com.sun.identity.saml2.plugins.DefaultIDPAccountMapper.getNameID(DefaultIDPAccountMapper.java:143)
        at com.sun.identity.saml2.profile.IDPSSOUtil.getSubject(IDPSSOUtil.java:1512)
        at com.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:912)
        at com.sun.identity.saml2.profile.IDPSSOUtil.getResponse(IDPSSOUtil.java:730)
        at com.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:422)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:1071)
        at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:129)
        at org.apache.jsp.saml2.jsp.idpSSOFederate_jsp._jspService(idpSSOFederate_jsp.java:114)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
        at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:640)
        at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
        at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
        at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:643)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:113)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:98)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:879)
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:617)
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1774)
        at java.lang.Thread.run(Unknown Source)

I think i have miss something with the nameID. any idea how to configure it ? thx for any help !

Answer 1

The most likely reason for the "Unable to generate NameID value" error, is that you are trying to create an assertion with a non-persistent & non-transient NameID-Format. In those cases OpenAM does not know what value to use for the NameID element, so you need to set up NameID Value Map on the hosted IdP's configuration pages.

With NameID Value mapping you can assign a given attribute value from the user's entry to the <NameID> element to an actual NameID-Format.

For example with the following mapping:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid

Whenever there is an incoming AuthnRequest that requests unspecified NameID-Format, the returned Assertion will contain a NameID value similar to this:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">demo</saml:NameID>

Where "demo" is the logged in user's uid attribute's value.