OIDC OP v/s SAML2NameID

Thu Sep 8 19:55:23 UTC 2022

For reference: IdP 4.2.1, OIDC common 2.1.0, OIDC OP 3.1.2, (not that I think it matters…but Duo OIDC Nimbus 1.2.0)

I am trying to follow the instructions for OIDC client secret resolution using the attribute resolver. This all seems straight forward...until I add the shibboleth.oidc.ClientSecretValueResolvers bean into conf/global.xml

    <util:list id="shibboleth.oidc.ClientSecretValueResolvers">
        <bean parent="shibboleth.oidc.ResolverServiceClientSecretValueResolver"
              p:attributeIds="oidcClientSecretAttribute" />
    </util:list>

This causes the attribute resolver to fail to load, barfing on the eduPersonTargetedID attribute definition:

2022-09-08 16:53:18,934 -  - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:182] - Service 'shibboleth.AttributeResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException: Failed to load [file [/opt/shibboleth-idp/conf/attribute-resolver.xml], class path resource [net/shibboleth/idp/conf/attribute-resolver-system.xml]]
        at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:387)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'eduPersonTargetedID': Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.resolver.impl.SAML2NameIDAttributeDefinition]: Constructor threw exception; nested exception is java.lang.NullPointerException
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1334)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [net.shibboleth.idp.saml.attribute.resolver.impl.SAML2NameIDAttributeDefinition]: Constructor threw exception; nested exception is java.lang.NullPointerException
        at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:224)
Caused by: java.lang.NullPointerException: null
        at org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory(XMLObjectProviderRegistrySupport.java:107)
2022-09-08 16:53:18,935 -  - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:185] - Service 'shibboleth.AttributeResolverService': No further attempts will be made to reload

The definition in question is:

    <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID"
                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="computedID" attributeNames="computedID" />
        <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
    </AttributeDefinition>

I realize that xsi:type=“SAML2NameID” is deprecated and would be happy to replace the definition with something else that produces the same result.

However, I don’t see why adding in the shibboleth.oidc.ClientSecretValueResolvers bean breaks an otherwise working configuration (e.g. commenting out the bean allow the attribute resolver to load).

Any insights are appreciated.

//
John Pfeifer
Division of Information Technology
University of Maryland, College Park