Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-109

NullPointerException when username mapping is not found in the list of attributes returned by the IdP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 4.3.0
    • SSO

      Issue Summary

      Attempting to authenticate using the SAML SSO feature when the value of the username mapping cannot be found in the list of attributes returned by the IdP results in a java.lang.NullPointerException.

      Steps to Reproduce

      1. Create a new SAML single sign-on authentication configuration.
      2. Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
      3. Use an IdP attribute in the username mapping field that doesn't exist e.g. ${Name123}
      4. Attempt to log in with a test user account.

      Expected Results

      The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

      Actual Results

      We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

      atlassian-bamboo.log
      Version: 8.1.3
Build: 80110
Build Date: 17 Feb 2022

Request information:

Request URL: http://bamboo.com/500.action
Scheme: https
Server: bamboo.com
Port: 443
URI: /500.action
Context path:
Servlet path: /500.action
Path info:
Query string:
Stack Trace:

java.lang.NullPointerException
	at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
	at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
	at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
	at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
	at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
	at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
	at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
	at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
        ...

      Workaround

      Capture the IdP response while logging in with a test user account (How to view SAML responses in your browser for troubleshooting) and check the name of the tag in the SAML assertion response that contains the user's username and use that in the username mapping field.

          Form Name

            [SAMLDC-109] NullPointerException when username mapping is not found in the list of attributes returned by the IdP

            Patryk made changes -
            Status Original: Needs Triage [ 10030 ] New: Long Term Backlog [ 12073 ]
            Owen made changes -
            Workflow Original: SAMLDC Workflow v2 [ 4268353 ] New: JAC Bug Workflow v3 [ 4271273 ]
            Status Original: Open [ 1 ] New: Needs Triage [ 10030 ]
            Patryk made changes -
            Remote Link New: This issue links to "AAUTH-616 (Current JIRA)" [ 629716 ]
            Patryk made changes -
            Labels New: long-term-backlog
            Bruno Rosa made changes -
            Component/s New: SSO [ 64591 ]
            Bruno Rosa made changes -
            Affects Version/s New: 4.3.0 [ 99005 ]
            Bruno Rosa made changes -
            Link New: This issue causes BAM-21659 [ BAM-21659 ]
            Bruno Rosa made changes -
            Description Original: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the user's username and use that in the *username mapping* field.             		New: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                    ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the user's username and use that in the *username mapping* field.
            Bruno Rosa made changes -
            Description Original: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the username and use that in the *username mapping* field.             		New: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the user's username and use that in the *username mapping* field.
            Bruno Rosa made changes -
            Description Original: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error 500 when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the username and use that in the *username mapping* field.             		New: h3. Issue Summary

            Attempting to authenticate using the SAML SSO feature when the value of the *username mapping* cannot be found in the list of attributes returned by the IdP results in a *java.lang.NullPointerException*.

            h3. Steps to Reproduce
            # Create a new *SAML single sign-on* authentication configuration.
            # Fill in all the details in the form (e.g. Single sign-on issuer, Identity provider single sign-on URL and etc).
            # Use an IdP attribute in the *username mapping* field that doesn't exist e.g. ${Name123}
            # Attempt to log in with a test user account.

            h3. Expected Results

            The app should catch the exception and provide a meaningful error message explaining why the authentication didn't work.

            h3. Actual Results

            We get an Internal Server Error (500) when attempting to log in using the SAML SSO feature with the following stack trace:

            {noformat:title=atlassian-bamboo.log}
            Version: 8.1.3
            Build: 80110
            Build Date: 17 Feb 2022

            Request information:

            Request URL: http://bamboo.com/500.action
            Scheme: https
            Server: bamboo.com
            Port: 443
            URI: /500.action
            Context path:
            Servlet path: /500.action
            Path info:
            Query string:
            Stack Trace:

            java.lang.NullPointerException
            at com.google.common.collect.Iterables.getOnlyElement(Iterables.java:263)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getAttributeOrNameId(SamlConsumerServlet.java:176)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.lambda$getUsername$7(SamlConsumerServlet.java:172)
            at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Collectors.java:178)
            at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(ReduceOps.java:169)
            at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
            at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
            at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
            at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
            at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
            at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
            at com.atlassian.plugins.authentication.sso.web.usercontext.impl.jit.mapping.MappingExpression.evaluateWithValues(MappingExpression.java:97)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.getUsername(SamlConsumerServlet.java:172)
            at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
                ...
            {noformat}

            h3. Workaround

            Capture the IdP response while logging in with a test user account ([How to view SAML responses in your browser for troubleshooting|https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html]) and check the name of the tag in the SAML assertion response that contains the username and use that in the *username mapping* field.

              Unassigned Unassigned
              brosa Bruno Rosa
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated: