Troubleshooting the "Unable to decode" (IdP 3.3)

O'Dowd, Josh Josh.O'Dowd at mso.umt.edu
Fri Aug 25 14:18:10 EDT 2017


Thanks Brent,

I will apply all of that, and see what I can find out.

Thanks again.
-Josh

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Brent Putman
Sent: Friday, August 25, 2017 12:11 PM
To: users at shibboleth.net
Subject: Re: Troubleshooting the "Unable to decode" (IdP 3.3)




On 8/25/17 1:20 PM, O'Dowd, Josh wrote:



Actually, there is a SAMLRequest parameter that I missed, coming after the RelayState parameter, and now I see that only some of the failed requests have a leading RelayState parameter.

Sample access entry for failed request:

[25/Aug/2017:09:24:05 -0600] TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /idp/profile/SAML2/Redirect/SLO?RelayState=ss:m

em:18e8f777deec8579d5adfb48fbaf6d9ae296df30c777408c7058488b5509bd70&SAMLRequest=rVbJcqNIEL3rKxzqo8JmEwIUtiNYtLFoAyTBZaIExSKxiSoE6OsHd

dvT7e6ZCffEXLMyX+Z7mUnyjECaFGM9D/MKb+Glggg/NGmSofHXl5d+VWbjHKAYjTOQQjTG3tgUDX1MP5Hjosxx7uVJ/0Hp4uIM4DjPXvoRxgUaE0SSh3H2VKX4CfoVEfsF0Q

...

...

83szyP7Zvz5rr2fWBOi++VbZD5sXv+gu9+EI8OwggcBF7AM4I40oASK5T0B+EHwfjE/RL0bP/wBvf4J&SigAlg=http://www.w3.org/2000/09/xmldsig HTTP/1.1" 40

0 18603


With the full request URL, specifically the SAMLRequest param (which is the actual SAML protocol message), you can try decoding that with one of the online SAML decoder/debugger services.   I have used in the past:

https://rnd.feide.no/software/saml_2_0_debugger/


Also just found some others via googling, such as:

https://www.samltool.com/decode.php


I'll be a little surprised if those can decode them though, and OpenSAML can't, at least for valid inputs.  The OpenSAML code has essentially been in use for over a decade, and is not known to have any issues with valid requests.

Since this is the Redirect binding, what I would initially suspect is that they aren't encoded properly, wrt to the Deflate part, i.e.  maybe it's just Base64-encoded and not Deflated.  That's not valid Redirect binding and OpenSAML would not handle and would treat as an error.   A decoder tool that attempts to dynamically support Redirect and POST input simultaneously might be less strict. (I think the FEIDE one does that).  You could also try just handing the SAMLRequest value to a Base64 decoder and see what happens.  If it works, then they aren't deflating.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170825/4db3a3f7/attachment-0001.html>


More information about the users mailing list