Coldfusion 2023 and SAML

Report · Dec 14, 2023

I am developing SAML SSO with Azure AD and our Coldfusion application at the moment and in Coldfusion 2021 everything seems to work. The configuration is there and the authentication works as well.

When I try to configure SAML in Coldfusion 2023, errors are thrown in spconfig.cfm

When I generate a new service provider, the configuration is created but this error is thrown:

Variable GENERATESUCCESSMSG is undefined.

The error occurred in spconfig.cfm: line 122
Called from spconfig.cfm: line 100
Called from spconfig.cfm: line 40
Called from spconfig.cfm: line 1

Identical errors (only with other variables) come when deleting / updating a configuration.
Also identity provider creation throws errors.

Did anybody experience this?

We use Coldfusion 2023.0.06.330617

and SAML package 2023.0.05.330608

If I ignore the errors thrown and try to init SAML authentication also an error is thrown (that may be because the configuration is not correct):

java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because the return value of "coldfusion.runtime.ApplicationScope.getApplicationPath()" is null
body: at coldfusion.saml.SamlHelper.getStructFromAppScope(SamlHelper.java:472)
body: at coldfusion.saml.SamlRequestBuilder.getIdp(SamlRequestBuilder.java:374)
body: at coldfusion.saml.SamlRequestBuilder.initAuthRequest(SamlRequestBuilder.java:149)
body: at coldfusion.saml.SAMLServiceImpl.InitSAMLAuthRequest(SAMLServiceImpl.java:577)
body: at coldfusion.runtime.CFPage.InitSAMLAuthRequest(CFPage.java:17693)

Can anybody help?

Report · Dec 14, 2023

Elisabeth, yes someone else has reported this. See:

https://tracker.adobe.com/#/view/CF-4219674

which indicates Adobe has a fix, though it's not clear what update will include it. See my comments at that tracker ticket, and add a vote to be notified when Adobe may respond with clarification about how you can get that fix now.

/Charlie (troubleshooter, carehart. org)

Report · Dec 14, 2023

Thanks a lot, Charlie! I did not find this!

Report · Dec 14, 2023

Now the SAML authentication works even while the configuration still throws these errors.
So I will wait until the issue is fixed in one of the next updates (hopefully).

Report · Dec 14, 2023

That's very interesting that it was not working before but is now. It could be interesting to understand when it "fails" and when it does not. But sure, if they fix it at least the error msg will go away.

/Charlie (troubleshooter, carehart. org)

Report · Jul 24, 2024

how did you fix the getApplicationPath() is null error?

Cannot invoke "String.toLowerCase()" because the return value of "coldfusion.runtime.ApplicationScope.getApplicationPath()" is null

Report · Aug 05, 2024

Sorry, I cannot help you here. You might notice that this call of getApplicationPath is part of a stack trace and is called by another Coldfusion function. We do not use this function at all.

Report · Feb 05, 2025

Wanted to chime in here, even though this is an old post. I was setting up SAML using Azure Entra SSO and running into the error Cannot invoke "String.toLowerCase()" because the return value of "coldfusion.runtime.ApplicationScope.getApplicationPath()" is null and this is the only Google result that came up.

In my case, I had set up a separate directory inside my site root to facilitate a specific company's SSO request. For example, the SSO link I created was similar to:
https://www.mysite.com/saml/company1/

In the 'company1' directory I had just a single index.cfm file containing:

<cfset SAMLconfig = {
	idp = {name = "myIDPNameInCF"},
	sp = {name = "MySPNameinCF"},
	relayState = "A_value_my_app_uses"
}>

<cfset InitSAMLAuthRequest(SAMLconfig)>

A bizarre thing happened where this code was working for me on my tests. I would get directed to Microsoft (MS) to login and my process worked fine.

However, when I sent the link to others, it produced the error message, above. WTF?

So, I tried the link on other devices where I'd never logged into MS before and, lo and behold, there was the error! The line number indicated by the error is the InitSAMLAuthRequest() line.

Not sure why it was working on my test setup...even different browsers? Only guess is because I had previously logged into my MS account in those browsers before? No clue.

Anyway, seeing as this posting was the only 'help' I found I tried grasping at a straw and it seems to have worked:

The error indicates the 'return value of "coldfusion.runtime.ApplicationScope.getApplicationPath()" is null. So, it would seem the inner workings of InitSAMLAuthRequest() can't find the application path? So, I created a new application.cfc file in the same directory as this index file. So now my SAML directory at /mywebsite/saml/company1/ has 2 files: application.cfc and index.cfm.

The appliaiton file is very simply:

component {
    this.name = "myCompanySAML";
    this.appBasePath = getDirectoryFromPath(getCurrentTemplatePath());
    this.sessionManagement = true;
}

(I also found sessionmanagement needs to be turned on or you get another error with InitSAMLAuthRequest().)

Adding this application file seems to have fixed the issue. All the devices I tried, that had previously errored, are now working as expected and sending me to a MS login page. I've also tested on devices that have never accessed MS before and it also works. Hopefully, no more issues?

Coldfusion 2023 and SAML

1 Correct answer