The reference to entity "action" must end with the '; ' delimiter.

Glenn Wearen glenn.wearen at heanet.ie
Thu Feb 7 07:02:54 EST 2013 

Before I confuse everyone, here is the actual AuthnRequest sent by SugarCRM…

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_89a3b55aa73d637c4978" Version="2.0" IssueInstant="2013-02-07T11:48:48Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://trial.sugarcrm.com/rvufhi7392/index.php?module=Users&action=Authenticate"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">php-saml</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Apologies
Glenn
Edugate Operations
HEAnet Limited, Ireland's Education and Research Network - 
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  tel: +353-1-6609040  fax: +353-1-6603666

On 7 Feb 2013, at 11:35, Glenn Wearen wrote:

> The character before the 'action' was indeed an ampersand, and this is rejected by the IdP. When I urlencode it manually (using the Feide SAML debugger) the IdP parses it.
> Thanks
> Glenn
> 
> 
> Edugate Operations
> HEAnet Limited, Ireland's Education and Research Network - 
> 1st Floor, 5 George's Dock, IFSC, Dublin 1
> Registered in Ireland, no 275301  tel: +353-1-6609040  fax: +353-1-6603666
> 
> On 7 Feb 2013, at 10:31, Ian Young wrote:
> 
>> 
>> On 7 Feb 2013, at 09:54, Glenn Wearen <glenn.wearen at heanet.ie> wrote:
>> 
>>> Slight correction, it is the ampersand that I have urlencoded, not the question mark.
>> 
>> The example you posted doesn't contain an ampersand.  If the character before the "action" was an ampersand, that would be invalid XML, which is what the IdP is reporting.
>> 
>> As to whether the "right" answer is for the SP to URL encode such an ampersand as %25 within the XML, in the hope that it won't be decoded prior to being used in a URL, I'm not sure.  I have seen that done, but if you don't have control over what the SP is generating then that may be moot.
>> 
>> There was a change in behaviour in this area in the IdP at some point in the 2.X series.  I want to say something like 2.2.0, but I can't see the specific issue in the release notes; it may have been a side-effect of fixing something else and perhaps someone else can remember the details.  We've also had related issues in the discovery service code.  I do remember that we were fairly confident that the IdP was doing the right thing now, though.
>> 
>> 	-- Ian
>> 
>> 
>> 
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/31210fb1/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2330 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130207/31210fb1/attachment.bin

More information about the users mailing list