Invalid XML Exception

Fri Apr 8 11:24:17 EDT 2016

> On Apr 8, 2016, at 11:14 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> 
>> It validates using Oxygen XML Editor and SAML Tracer likes it as well. I don’t
>> see anything wrong with it, but yet it fails.
>> 
>> Any ideas?
> 
> It's a POST; did you grab the base64 in the form and decode it directly to see what's in it?
> 
> There's no real chance of a socket-related issue since the XML here is inside that form element, it's not like there's more data being received or whatever.

Well I have and just did it again and think I see it:

Encoded:

PHNhbWxwOkF1dGhuUmVxdWVzdCBJRD0iXzE1MDA3NjBCLUE3RjUtNDBEOC1CQzIxLTEwQjMzMzAzM0UxOSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDQtMDhUMDk6MjA6MDdaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIERlc3RpbmF0aW9uPSJodHRwczovL2lkcC5ubnJtbHMuc2FmZW1scy5uZXQvaWRwL3Byb2ZpbGUvU0FNTDIvUE9TVC9TU08iIEZvcmNlQXV0aG49ImZhbHNlIiBJc1Bhc3NpdmU9ImZhbHNlIiAgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlSW5kZXg9IjAiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL3d3dy5tbHNFTnNpZ2h0LmNvbS9nZW9qZXQ2L2VtbWFpbi5hc3A/bWFwTmFtZT0zMiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly93d3cubWxzRU5zaWdodC5jb20vZ2VvamV0Ni88L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiPjwvc2FtbHA6TmFtZUlEUG9saWN5Pjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg

Decoded:

<samlp:AuthnRequest ID="_1500760B-A7F5-40D8-BC21-10B333033E19" Version="2.0" IssueInstant="2016-04-08T09:20:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://idp.nnrmls.safemls.net/idp/profile/SAML2/POST/SSO" ForceAuthn="false" IsPassive="false"  AssertionConsumerServiceIndex="0" AssertionConsumerServiceURL="http://www.mlsENsight.com/geojet6/emmain.asp?mapName=32" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.mlsENsight.com/geojet6/</saml:Issuer><samlp:NameIDPolicy AllowCreate="true"></samlp:NameIDPolicy></samlp:AuthnRequest>

The NameIDPolicy node is missing the ending /.

So SAML Tracer showed it there, but a separate decoding does not.

Very odd.

-----
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com