NPE at SAML processing
14.6.9. NullPointerException processing SAML assertion in SP

Exception (on SP):

NPE after receiving the SAML assertion from the IdP. Unfortunately, the log file doesn't provide a good hint about possible reasons:

2016-09-05 12:27:23,383 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 FedLib: SAML2MetaManager: [SAML2] GOT_ENTITY_CONFIG: {iamSp,/}
2016-09-05 12:27:23,383 INFO  [GLS - AuthServer - 0001 - SID: 544795747197145525 - RID: 208963866670626638] | 001 FedLib: SPACSUtils: [SAML2] SUCCESS_FED_SSO: {azhthsa,azhthsa}, Data: {NameID=azhthsa}
2016-09-05 12:27:23,383 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 FedLib: AccountUtils: AccountUtils.setAccountFederation:
2016-09-05 12:27:23,384 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 FedLib: AccountUtils: AccountUtils.setAccountFederation: info to be set:iamSp|https://app.onelogin.com/saml/metadata/582647|azhthsa|null|urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress|null|null|SPRole|false,infoKey to be set:iamSp|https://app.onelogin.com/saml/metadata/582647|azhthsa
2016-09-05 12:27:23,384 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 DataStoreProviderImpl: DataStoreProviderImpl saml2: Searching for attributes '[sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey]' for user 'azhthsa'
2016-09-05 12:27:23,385 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 DatabaseUserPersister: read user from db: AuthUserBeanImpl{username=azhthsa, roles=[admin, employee, customer], auth-method==PASSWORD, next-auth-method=null, auth-migration-date=null, locked=false, locked-reason=null, locked-date=null, invalid-flag=false, valid-from=null, valid-to=null, failed-logins=0, failed-logins-before-latest-successful-login=0, failed-logins-with-first-factor=0, failed-stepup-attempts=0, total-logins=87, latest-successful-login=Fri Sep 02 08:34:05 CEST 2016, latest-login-attempt=Fri Sep 02 08:34:05 CEST 2016, second-latest-successful-login=Wed Aug 31 15:22:54 CEST 2016, first-login=Sat May 14 18:02:31 CEST 2016, self-registered=true, self-registration-date=Sat May 14 18:02:31 CEST 2016, last-airlock-gsid-update=null, last-known-airlock-gsid=null, secret-questions-enabled=false, context-data={country=CHE, town=, streetNumber=, address2=, language=de, disclaimer_tag=null, zipcode=, auth_method=PASSWORD, givenname=Thomas, surname=Sauter, street=, allowedIPs=null, company=, salutation=, state=null, email=thomas.sauter@aspectra.ch, username=azhthsa}}, password-change-forced=false
2016-09-05 12:27:23,385 DEBUG [TRC - DEFAULT           - SID: 544795747197145525 - RID: 208963866670626638] | 001 DatabaseUserPersister: Getting user azhthsa from DB took 1 ms
2016-09-05 12:27:23,385 ERROR [GLS - AuthServer - 0001 - SID: 544795747197145525 - RID: 208963866670626638] | 001 SPAssertionConsumerService: NPE while processing SAML message
2016-09-05 12:27:23,385 ERROR [GLS - AuthServer - 0001 - SID: 544795747197145525 - RID: 208963866670626638] | 002 java.lang.NullPointerException
2016-09-05 12:27:23,385 ERROR [GLS - AuthServer - 0001 - SID: 544795747197145525 - RID: 208963866670626638] | 003 	at com.airlock.iam.login.app.misc.configuration.targetapps.GenericTargetApplicationBase.getUsernameToPropagate(GenericTargetApplicationBase.java:253)
2016-09-05 12:27:23,385 ERROR [GLS - AuthServer - 0001 - SID: 544795747197145525 - RID: 208963866670626638] | 004 	at com.airlock.iam.login.app.misc.saml2.datastore.DataStoreProviderImpl.getPersistentFederationConfig(DataStoreProviderImpl.java:251)

Because the Authentee is nullgetUsernameToPropagate() throws the NPE. The first question is though why does IAM try to load a local user at all.

Reason:

If the NameID format of the SAML assertion returned from the IdP to IAM is not, <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient">, but e.g. <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">, IAM is forced to look up the user on its local database. If the user is not found, a not found exception is thrown, it the user is found, the NPE occurs (which is wrong in itself, but can be 'worked around' if no persistent users are needed, see solution).

Solution:

Change the sp.xml on the on-IAM IdP, such that <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"> is used.