xmltooling::XMLParserException - Testshib.org & SimpleSAMLphp SAML IdP
James McClune
mcclunej at norwalktruckers.net
Mon May 22 13:46:17 EDT 2017
Thanks Brent.
- Jimmy
On Mon, May 22, 2017 at 12:47 PM, Brent Putman <putmanb at georgetown.edu>
wrote:
>
>
> On 5/22/17 10:05 AM, James McClune wrote:
>>
>> xmltooling::XMLParserException
>> xmltooling::XMLParserException at
>> (https://sp.testshib.org/Shibboleth.sso/SAML2/POST) XML error(s)
>> during parsing, check log for specifics
>
> That's the Shib SP telling you there is a fundamental XML parsing
> error on the POST of the Response+Assertion to the SP's assertion
> consumer service (ACS) endpoint. The real info is at the end:
>
>> 2017-05-22 09:42:10 ERROR XMLTooling.ParserPool [1440]: fatal error
>> on line 9, column 6612, message: invalid character 0x1
>
> That's exactly where the invalid XML is, specifically an invalid
> character. If you actually pull that XML into a text editor and find
> line 9 col 6612 (with some guesstimation to account for formatting
> differences), you will see that there is some control character there
> being sent as the value of an attribute:
>
> <saml:Attribute Name="objectSid"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> xsi:type="xs:string">CONTROL CHAR
> HERE</saml:AttributeValue></saml:Attribute>
>
>
> Depending on what text editor etc you are using, it may be difficult
> to see, but in my MacVIM that location shows as a ^E, and 'od' shows
> the same:
>
> 0000000 < s a m l : A t t r i b u t e
>
> 0000020 N a m e = " o b j e c t S i d
> "
> 0000040 N a m e F o r m a t = " u r
> n
> 0000060 : o a s i s : n a m e s : t c
> :
> 0000100 S A M L : 2 . 0 : a t t r n a
> m
> 0000120 e - f o r m a t : b a s i c "
> >
> 0000140 < s a m l : A t t r i b u t e
> V
> 0000160 a l u e x s i : t y p e = "
> x
> 0000200 s : s t r i n g " > 005 < / s a
> m
> 0000220 l : A t t r i b u t e V a l u
> e
> 0000240 > < / s a m l : A t t r i b u
> t
> 0000260 e > \n
>
> 0000263
>
>
> So whatever you are doing in the IdP to produce the objectSid
> attribute is producing an illegal value, probably something binary.
> IIRC some of the attribs in AD are binary in nature and require
> special handling to render them as a SAML attribute. But you'd have
> to ask the SimpleSAMLPHP people about specifics for their software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170522/885cc7a6/attachment.html>
More information about the users
mailing list