000021903 - com.rsa.fim.profile.sso.SSOProfileException: SP resource configuration is null error message.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021903
Applies ToFederated Identity Management Module 3.1
Microsoft Windows 2003 Server
Issuecom.rsa.fim.profile.sso.SSOProfileException: SP resource configuration is null error message.
Error message: SP resource configuration is null Error stack trace: com.rsa.fim.profile.sso.SSOProfileException: SP resource configuration is null at com.rsa.fim.profile.sso.SSOHelper.nullCheck(SSOHelper.java:382) at com.rsa.fim.profile.sso.SSOProtocolMessageHelper.createAuthnRequest(SSOProtocolMessageHelper.java:441) at com.rsa.fim.profile.sso.SSOProfileBean.createAuthnRequest(SSOProfileBean.java:213) at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.createAuthnRequest(SSOProfile_5wyj3w_EOImpl.java:46) at com.rsa.fim.servlet.sso.IntersiteTransferService.doGet(IntersiteTransferService.java:73) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315) at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:322) at com.rsa.fim.servlet.discovery.WebAgentService.doGet(WebAgentService.java:181) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764) at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
2007-11-19 09:05:01,076, (SSOHelper.java:585), myfimserver, , , , Unable to create the AuthnRequest message, com.rsa.fim.profile.sso.SSOProfileException: SP resource configuration is null
 at com.rsa.fim.profile.sso.SSOHelper.nullCheck(SSOHelper.java:382)
 at com.rsa.fim.profile.sso.SSOProtocolMessageHelper.createAuthnRequest(SSOProtocolMessageHelper.java:441)
 at com.rsa.fim.profile.sso.SSOProfileBean.createAuthnRequest(SSOProfileBean.java:213)
 at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.createAuthnRequest(SSOProfile_5wyj3w_EOImpl.java:46)
 at com.rsa.fim.servlet.sso.IntersiteTransferService.doGet(IntersiteTransferService.java:73)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
 at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
 at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
 at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:322)
 at com.rsa.fim.servlet.discovery.WebAgentService.doGet(WebAgentService.java:181)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1006)
 at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
 at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6718)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
 at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
 at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
Cause

This error can occur when doing SP-Initiated Web SSO (both Use Case 2, Use Case 3, Use Case 5 and Use Case 7).  The problem will occur when the final end target web page that the user is attempting to access is simply the URL address of a server, for example:

                          https://www.rsa.com

If the target is changed slightly to look like this:

                          https://www.rsa.com/

then the problem does not occur.

The issue is that the TGT value (end target) needs to match a listed "Service Provider Application", this allows a variety of different SP entities to be configured so that the FIM server can react in different ways, for example:
 
            Target:                                                                 IdP to be used:
            http://myserver.rsa.com/personeldata               http://personelgate.emc.com/managers
            http://myserver.rsa.com/sales                            http://www.rsa.com/online
 
The problem for you is that where the end target (TGT) is https://www.rsa.com it will does not match any available pattern value of service provider applications that have been listed.
 
This feature uses the values configured under Components | Service Provider Applications  and then selected within the configuration of the local entity (on the second page).  The wizard will generate a default "catch-all) value of "/*" but this will fail to identify the site correctly.

Resolution

The value https://www.rsa.com is an illegal URL value.  The RFC 2616 which defines HTTP 1.1 mandates that the absolute path for a URL cannot be empty and that if none were to be specified that  a "/" must be used to specify the server root, however this is rarely noticed as the mandatory requirement is usually corrected by a local client browser before requesting a URL.

RSA is looking at a possible change in this area in the next major release (currently expected to be RSA FIM 4.0).   For existing versions please ensure that the TGT value is configured to include a trailing "/" character.

For details about configuring the RSA FIM server see the supplied documentation which is also available at SecurCare Online:

RSA Federated Identity Manager 3.1 Planning Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/plan.pdf

 

RSA Federated Identity Manager 3.1 Installation & Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/install.pdf

 

 

RSA Federated Identity Manager 3.1 Developer's Documentation

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/devguide.zip

 

Legacy Article IDa37746

Attachments

    Outcomes