Hi All,

NAM 3.2.2 IR2-117 all running on SLES 11

Trying to get SAML ECP to work with Office 365 and the Office 2013 Suite
activation process without much success.

The following SOAP message is sent from the Office Software on the
client machine to the IDP.


POST https://login.colesgroup.com.au/nidp/saml2/sso HTTP/1.0
Connection: Keep-Alive
Content-Type: application/soap+xml
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media
Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4552.0;
App WINWORD.EXE, 15.0.4535.0, {9317BCB6-314B-442F-A5DA-9BC2BEBC271D})
Content-Length: 1580
Host: login.colesgroup.com.au

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlnss="http://schemas.microsoft.com/Passport/SoapServices/PPCRL"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:saml="urnasis:names:tc:SAML:1.0:assertion"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<s:Header>
<wsa:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:To
s:mustUnderstand="1">https://login.colesgroup.com.au:443/nidp/saml2/sso</wsa:To>
<wsa:MessageID>1391573772</wsa:MessageID>
<wsse:Security>
<wsse:UsernameToken wsu:Id="user">
<wsse:Username>asd@coles.com.au</wsse:Username>
<wsse:Password>asdasd</wsse:Password>
</wsse:UsernameToken>
<wsu:Timestamp Id="Timestamp">
<wsu:Created>2014-02-05T04:16:11Z</wsu:Created>
<wsu:Expires>2014-02-05T04:21:11Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken Id="RST0">
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>

The IDP then responds with:




HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FF8DCB0D4FC4A7D7A4F67D90F89700DE; Path=/nidp/;
Secure; HttpOnly
Set-Cookie: UrnNovellNidpClusterMemberId=~03~0Bslo~0A~0B~14kop ~0B~0A~0B;
Path=/nidp
Set-Cookie:
urn:novell:nidp:cluster:member:id=~03~0Bslo~0A~0B~ 14kop~0B~0A~0B;
Path=/nidp
Pragma: No-cache
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 274
Date: Wed, 05 Feb 2014 04:25:15 GMT

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>Invalid
or unsupported XML content type:
application/soap+xml</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>


If I use Fiddler to to rewrite the Content-Type to be text/xml instead
of application/soap+xml I then get the following result:



<div class="messagebox_content">
<img src="/nidp/images/error_icon.gif" align="absmiddle">
<div class="messagetext">
<span
class="infotype">Error:</span>NIDPMAIN.11465CCF2D11B3DEF2A1C60694B883B3356
(An error has occurred which may have invalidated your authentication.
Please try refreshing the browser page. If this error persists, please
close this browser window, open a new browser, and login again.)
</div>
</div>


The catalina.log file reports the following when the Content-Type is
text/xml:


<amLogEntry seq="42210" d="2014-02-05T03:19:20Z"
lg="Application" lv="DEBUG" th="4273" ><msg>Method:
NIDPContextListener.sessionCreated
Thread: http-bio-192.168.56.103-8443-exec-76
Created session
AMAUTHID#7327FCA99D728853F888851168C42F5B</msg></amLogEntry>
<amLogEntry seq="42211" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method:
NIDPProxyableServlet.myDoGetWithProxy
Thread: http-bio-192.168.56.103-8443-exec-76
****** HttpServletRequest Information:
Method: POST
Scheme: https
Context Path: /nidp
Servlet Path: /saml2
Query String: null
Path Info: /soap
Server Name: loginuat.colesgroup.com.au
Server Port: 443
Content Length: 1598
Content Type: text/xml
Auth Type: null
Request URL: https://loginuat.colesgroup.com.au/nidp/saml2/soap
Host IP Address: 203.5.139.133
Remote Client IP Address: 203.5.137.74
Header: Name: connection, Value: Keep-Alive
Header: Name: accept, Value: */*
Header: Name: user-agent, Value: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
..NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3;
MSOIDCRL 7.250.4552.0; App WINWORD.EXE, 15.0.4535.0,
{9317BCB6-314B-442F-A5DA-9BC2BEBC271D})
Header: Name: content-length, Value: 1598
Header: Name: host, Value: loginuat.colesgroup.com.au
Header: Name: content-type, Value: text/xml
Session Id: 7327FCA99D728853F888851168C42F5B
Session Last Accessed Time: 1391570360066</msg></amLogEntry>
<amLogEntry seq="42212" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method:
NIDPProxyableServlet.myDoGetWithProxy
Thread: http-bio-192.168.56.103-8443-exec-76
iUrlCategory: 2, iUrlCommand: 300</msg></amLogEntry>
<amLogEntry seq="42213" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method: SavedInputStream.&lt;init&gt;
Thread: http-bio-192.168.56.103-8443-exec-76
Created new SavedInputStream using InputStream:
org.apache.catalina.connector.CoyoteInputStream</msg></amLogEntry>
<amLogEntry seq="42214" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method: CacheMap.A
Thread: http-bio-192.168.56.103-8443-exec-76

Retrieval of object from cache session failed using key
7327FCA99D728853F888851168C42F5B. Cache size is 45</msg></amLogEntry>
<amLogEntry seq="42215" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method: CacheMap.A
Thread: http-bio-192.168.56.103-8443-exec-76

Retrieval of object from cache ancestralsession failed using key
7327FCA99D728853F888851168C42F5B. Cache size is 0</msg></amLogEntry>
<amLogEntry seq="42216" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method:
NIDPProxyableServlet.myDoGetWithProxy
Thread: http-bio-192.168.56.103-8443-exec-76

Exception message: &quot;java.lang.NullPointerException&quot;
y, Line: 2710, Method: getRealServer
y, Line: 88, Method: getRealServer
y, Line: 2951, Method: myDoGetWithProxy
y, Line: 1768, Method: myDoGet
y, Line: 3301, Method: myDoGet
y, Line: 2926, Method: doGet
y, Line: 1941, Method: doPost
HttpServlet.java, Line: 641, Method: service
HttpServlet.java, Line: 722, Method: service
ApplicationFilterChain.java, Line: 305, Method: internalDoFilter
ApplicationFilterChain.java, Line: 210, Method: doFilter
StandardWrapperValve.java, Line: 222, Method: invoke
StandardContextValve.java, Line: 123, Method: invoke
AuthenticatorBase.java, Line: 472, Method: invoke
StandardHostValve.java, Line: 168, Method: invoke
ErrorReportValve.java, Line: 99, Method: invoke
StandardEngineValve.java, Line: 118, Method: invoke
CoyoteAdapter.java, Line: 407, Method: service
AbstractHttp11Processor.java, Line: 1002, Method: process
AbstractProtocol.java, Line: 585, Method: process
JIoEndpoint.java, Line: 310, Method: run
ThreadPoolExecutor.java, Line: 1110, Method: runWorker
ThreadPoolExecutor.java, Line: 603, Method: run
Thread.java, Line: 722, Method: run</msg></amLogEntry>
<amLogEntry seq="42217" d="2014-02-05T03:19:20Z" lg="Application"
lv="DEBUG" th="4273" ><msg>Method:
NIDPProxyableServlet.myDoGetWithProxy
Thread: http-bio-192.168.56.103-8443-exec-76



I have also tried to point Office 365 at a test NAM 4.0 IDP with the
same result. See NAM 4 logs below:



<amLogEntry seq="1405" d="2014-02-05T02:36:53Z" lg="Application"
lv="DEBUG" th="1761" ><msg>Method: BaseHandler.handleSOAPMessage
Thread: http-bio-172.28.155.132-8080-exec-6
Attempting to handle SOAP MEssage!
Exception message: &quot;java.lang.NullPointerException&quot;
y, Line: 2602, Method: getFirstChildElement
y, Line: 2107, Method: handleSOAPMessage
y, Line: 2517, Method: handleRequest
y, Line: 21, Method: handleRequest
y, Line: 535, Method: myDoGet
y, Line: 1845, Method: doGet
y, Line: 2799, Method: doPost
HttpServlet.java, Line: 647, Method: service
HttpServlet.java, Line: 728, Method: service
ApplicationFilterChain.java, Line: 305, Method: internalDoFilter
ApplicationFilterChain.java, Line: 210, Method: doFilter
StandardWrapperValve.java, Line: 222, Method: invoke
StandardContextValve.java, Line: 123, Method: invoke
AuthenticatorBase.java, Line: 502, Method: invoke
StandardHostValve.java, Line: 171, Method: invoke
ErrorReportValve.java, Line: 99, Method: invoke
StandardEngineValve.java, Line: 118, Method: invoke
CoyoteAdapter.java, Line: 408, Method: service
AbstractHttp11Processor.java, Line: 1023, Method: process
AbstractProtocol.java, Line: 589, Method: process
JIoEndpoint.java, Line: 312, Method: run
ThreadPoolExecutor.java, Line: 1145, Method: runWorker
ThreadPoolExecutor.java, Line: 615, Method: run
Thread.java, Line: 724, Method: run</msg></amLogEntry>


Anyone got any ideas?


--
rtruscot
------------------------------------------------------------------------
rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
View this thread: https://forums.netiq.com/showthread.php?t=49901