Shibboleth IdP and Novell Access Manager
Bart Ophelders
Bart.Ophelders at icts.kuleuven.be
Mon Nov 28 10:03:56 GMT 2011
Hello,
We are trying to set up a test environment where we want to connect our
Shibboleth IdP to the Novell Access Manager Identity Server (configured as a
Service Provider).
According to de documentation on
<http://www.novell.com/communities/node/6943/integrating-novells-access-mana
ger-shibboleths-idp-server>
http://www.novell.com/communities/node/6943/integrating-novells-access-manag
er-shibboleths-idp-server it should be possible?
The problem occurs when the Novell Identity Server sends the authentication
request to our IdP. It responds with "Error decoding authentication request
message"
The SAML Authentication request is as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
Destination="https://idp.example.com/idp/profile/SAML2/Redirect/SSO"
ForceAuthn="false" ID="idX32Qk7WH2TJ4moRICxU50pRwMwY" IsPassive="false"
IssueInstant="2011-11-25T09:16:06Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"><saml:Issuer>https://sp.example.com:8443/nidp/saml2/metadata
<https://sp.example.com:8443/nidp/saml2/metadata%3c/saml:Issuer%3e%3cds:Sign
ature> </saml:Issuer><ds:Signature xmlns:ds="
<http://www.w3.org/2000/09/xmldsig>
http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><CanonicalizationMethod x
mlns=" <http://www.w3.org/2000/09/xmldsig>
http://www.w3.org/2000/09/xmldsig#" Algorithm="
<http://www.w3.org/2001/10/xml-exc-c14n>
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmlds
ig#rsa-sha1"/><ds:Reference
URI="#idX32Qk7WH2TJ4moRICxU50pRwMwY"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Trans
form Algorithm=" <http://www.w3.org/2001/10/xml-exc-c14n>
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm=" <http://www.w3.org/2000/09/xmldsig#sha1>
http://www.w3.org/2000/09/xmldsig#sha1"/><
DigestValue xmlns=" <http://www.w3.org/2000/09/xmldsig>
http://www.w3.org/2000/09/xmldsig#">ibYa0NxkDvOTTsH27aqjYIkT4cE=</DigestValu
e></ds:Reference></ds:SignedInfo><SignatureValue xmlns="http:/
/www.w3.org/2000/09/xmldsig#">
fMnmxWdwldCfTAZRxVVZ5O9jYYymFvMlizOhTc3COQy6MFSPrOzYHR+LH4MpHmRCIxkXbMYR
fMnmxWdwldCfTAZRxVVZ5O9jYYymFvMlizOhTc3COQy6MFSPrOzYHR+k8wb
JkLw7qwTk5Alcoiatlyi/9f2IihxWdKcV1lMTeACK+crJ66HSCv9Q4bnCfpA3PkPWx3SRtT9QNrN
M74X96nH9rnZD3eVSJpr3nxEv7JH4oEwG1GlK59AjP5gyUsrcoMQNTjLyUo3zp7iIpN4c/78HF68
4MYMZRv4JhcbMU0O8vtNG9zKrSiCD2h3WdiTqa5B71mehehppURB0ireARaPMXRO7wzImUpQOhsw
dcDpFl3S3+uMiVq0Y9D1kg1T89yoDM3mOJLZaw==
</SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>
MIIFFzCCA/+gAwIBAgIkAhwR/6UpNm9pDtA+9feHGMmx/XRasrfbFjieU0wTAgIEQxODMA0GCSqG
SIb3DQEBBQUAMDYxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMRgwFgYDVQQKFA9pc21fYW1f
.
iMAesTP7hObcH6K/wFcEVWFOaXhQ3tfroln3FwtNkb76HgPXiW+z+ZsNwXLWTCPxxTT1onBS9D6S
NpDtYrC2fZHSccSbjIiCT+0xxSCeujI+njbCt5Yg5ohDdL3pWNGR4RCcoZwZIj4l25xsAjc=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameID
Policy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnR
equest>
And the idp-process log file contains:
10:16:03.729 - INFO [Shibboleth-Access:74] - - 20111125T091603Z|
|idp.example.com:443|/profile/SAML2/Redirect/SSO|
10:16:03.730 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86
] - - shibboleth.HandlerManager: Looking up profile handler for request
path: /SAML2/Redirect/SSO
10:16:03.730 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97
] - - shibboleth.HandlerManager: Located profile handler of the following
type for the request path:
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
10:16:03.730 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:323] - -
LoginContext key cookie was not present in request
10:16:03.730 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:160
] - - Incoming request does not contain a login context, processing as
first leg of request
10:16:03.730 - DEBUG
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:312
] - - Decoding message with decoder binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
10:16:03.731 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76]
- - Beginning to decode message from inbound transport of type:
org.opensaml.ws.transport.http.HttpServletRequestAdapter
10:16:03.734 - DEBUG
[org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - -
Decoded RelayState: MA==
10:16:03.734 - DEBUG
[org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - -
Base64 decoding and inflating SAML message
10:16:03.735 - DEBUG
[org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - - Parsing
message stream into DOM document
10:16:03.736 - ERROR
[org.opensaml.ws.message.decoder.BaseMessageDecoder:208] - - Encountered
error parsing message into its DOM representation
org.opensaml.xml.parse.XMLParserException: Unable to read XML from input
stream
at
org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:221)
~[xmltooling-1.3.3.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMes
sageDecoder.java:186) [openws-1.4.3.jar:na]
at
org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTP
RedirectDeflateDecoder.java:102) [opensaml-2.5.2.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder
.java:79) [openws-1.4.3.jar:na]
at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2
MessageDecoder.java:70) [opensaml-2.5.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.deco
deRequest(SSOProfileHandler.java:332)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.perf
ormAuthentication(SSOProfileHandler.java:190)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proc
essRequest(SSOProfileHandler.java:161)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proc
essRequest(SSOProfileHandler.java:88)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherS
ervlet.service(ProfileRequestDispatcherServlet.java:84)
[shibboleth-common-1.3.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[tomcat6-servlet-2.5-api-6.0.29.jar:na]
.
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
[tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
[tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java
:896) [tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:690) [tomcat-coyote-6.0.29.jar:6.0.29]
at java.lang.Thread.run(Thread.java:636) [na:1.6.0_17]
Caused by: java.util.zip.ZipException: invalid code lengths set
at
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164)
~[na:1.6.0_17]
at
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:122)
~[na:1.6.0_17]
at
org.apache.xerces.impl.XMLEntityManager$RewindableInputStream.read(Unknown
Source) ~[na:na]
at
org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
~[na:na]
at
org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
~[na:na]
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
~[na:na]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
~[na:na]
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
~[na:1.3.04]
at
org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParse
rPool.java:672) ~[xmltooling-1.3.3.jar:na]
at
org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:216)
~[xmltooling-1.3.3.jar:na]
... 38 common frames omitted
10:16:03.739 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:344
] - - Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: Encountered error
parsing message into its DOM representation
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMes
sageDecoder.java:209) ~[openws-1.4.3.jar:na]
at
org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTP
RedirectDeflateDecoder.java:102) ~[opensaml-2.5.2.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder
.java:79) ~[openws-1.4.3.jar:na]
at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2
MessageDecoder.java:70) ~[opensaml-2.5.2.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.deco
deRequest(SSOProfileHandler.java:332)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.perf
ormAuthentication(SSOProfileHandler.java:190)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proc
essRequest(SSOProfileHandler.java:161)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.proc
essRequest(SSOProfileHandler.java:88)
[shibboleth-identityprovider-2.3.4.jar:na]
at
edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherS
ervlet.service(ProfileRequestDispatcherServlet.java:84)
[shibboleth-common-1.3.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[tomcat6-servlet-2.5-api-6.0.29.jar:na]
.
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
[tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
[tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java
:896) [tomcat-coyote-6.0.29.jar:6.0.29]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:690) [tomcat-coyote-6.0.29.jar:6.0.29]
at java.lang.Thread.run(Thread.java:636) [na:1.6.0_17]
Caused by: org.opensaml.xml.parse.XMLParserException: Unable to read XML
from input stream
at
org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:221)
~[xmltooling-1.3.3.jar:na]
at
org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMes
sageDecoder.java:186) ~[openws-1.4.3.jar:na]
... 37 common frames omitted
Caused by: java.util.zip.ZipException: invalid code lengths set
at
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164)
~[na:1.6.0_17]
at
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:122)
~[na:1.6.0_17]
at
org.apache.xerces.impl.XMLEntityManager$RewindableInputStream.read(Unknown
Source) ~[na:na]
at
org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
~[na:na]
at
org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source) ~[na:na]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
~[na:na]
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
~[na:na]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
~[na:na]
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
~[na:1.3.04]
at
org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParse
rPool.java:672) ~[xmltooling-1.3.3.jar:na]
at
org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:216)
~[xmltooling-1.3.3.jar:na]
... 38 common frames omitted
Maybe this does ring a bell for someone?
Does the authentication request look wrong in any way?
Any thoughts or pointers are very much welcome!
Kind regards,
Bart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111128/6784519a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5583 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20111128/6784519a/attachment-0001.bin
More information about the users
mailing list