The issue occurs when ADFS has not been configured this way as no subject name identifier will be provided and the following error will occur:
java.lang.IllegalArgumentException: SAMLBase object can't be created with null object argument
at org.springframework.security.saml.parser.SAMLBase.(SAMLBase.java:64)
at org.springframework.security.saml.parser.SAMLObject.(SAMLObject.java:43)
at org.springframework.security.saml.SAMLCredential.(SAMLCredential.java:66)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processResponse(WebSSOProfileConsumerImpl.java:206)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
...
I think it would be useful to have the code in WebSSOProfileConsumerImpl.processResponse() check for the existence of the subject name identifier returned from context.getSubjectNameIdentifier() before attempting to create the SAMLCredential and log an error if it is null.
Rob Moore (Migrated from SES-47) said:
ADFS does not return a subject name identifier by default but can be configured to do so:
http://blogs.msdn.com/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx
The issue occurs when ADFS has not been configured this way as no subject name identifier will be provided and the following error will occur:
java.lang.IllegalArgumentException: SAMLBase object can't be created with null object argument at org.springframework.security.saml.parser.SAMLBase.(SAMLBase.java:64)
at org.springframework.security.saml.parser.SAMLObject.(SAMLObject.java:43)
at org.springframework.security.saml.SAMLCredential.(SAMLCredential.java:66)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processResponse(WebSSOProfileConsumerImpl.java:206)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
...
I think it would be useful to have the code in WebSSOProfileConsumerImpl.processResponse() check for the existence of the subject name identifier returned from context.getSubjectNameIdentifier() before attempting to create the SAMLCredential and log an error if it is null.