xmltooling::XMLParserException - Testshib.org & SimpleSAMLphp SAML IdP

Brent Putman putmanb at georgetown.edu
Mon May 22 12:47:08 EDT 2017

On 5/22/17 10:05 AM, James McClune wrote:
> xmltooling::XMLParserException
> xmltooling::XMLParserException at
> (https://sp.testshib.org/Shibboleth.sso/SAML2/POST) XML error(s)
> during parsing, check log for specifics

That's the Shib SP telling you there is a fundamental XML parsing error
on the POST of the Response+Assertion to the SP's assertion consumer
service (ACS) endpoint.  The real info is at the end:

> *2017-05-22 09:42:10 ERROR XMLTooling.ParserPool [1440]: fatal error
> on line 9, column 6612, message: invalid character 0x1*

That's exactly where the invalid XML is, specifically an invalid
character.  If you actually pull that XML into a text editor and find
line 9 col 6612 (with some guesstimation to account for formatting
differences), you will see that there is some control character there
being sent as the value of an attribute:

<saml:Attribute Name="objectSid"
xsi:type="xs:string">CONTROL CHAR

Depending on what text editor etc you are using, it may be difficult to
see, but in my MacVIM that location shows as a ^E, and 'od' shows the same:

0000000    <   s   a   m   l   :   A   t   t   r   i   b   u   t   e   
0000020    N   a   m   e   =   "   o   b   j   e   c   t   S   i   d   "
0000040        N   a   m   e   F   o   r   m   a   t   =   "   u   r   n
0000060    :   o   a   s   i   s   :   n   a   m   e   s   :   t   c   :
0000100    S   A   M   L   :   2   .   0   :   a   t   t   r   n   a   m
0000120    e   -   f   o   r   m   a   t   :   b   a   s   i   c   "   >
0000140    <   s   a   m   l   :   A   t   t   r   i   b   u   t   e   V
0000160    a   l   u   e       x   s   i   :   t   y   p   e   =   "   x
0000200    s   :   s   t   r   i   n   g   "   > 005   <   /   s   a   m
0000220    l   :   A   t   t   r   i   b   u   t   e   V   a   l   u   e
0000240    >   <   /   s   a   m   l   :   A   t   t   r   i   b   u   t
0000260    e   >  \n                                                   

So whatever you are doing in the IdP to produce the objectSid attribute
is producing an illegal value, probably something binary.  IIRC some of
the attribs in AD are binary in nature and require special handling to
render them as a SAML attribute.  But you'd have to ask the
SimpleSAMLPHP people about specifics for their software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170522/a68daecc/attachment.html>

More information about the users mailing list