xmltooling::XMLParserException - Testshib.org & SimpleSAMLphp SAML IdP

James McClune mcclunej at norwalktruckers.net
Mon May 22 13:46:17 EDT 2017 

Thanks Brent.

- Jimmy

On Mon, May 22, 2017 at 12:47 PM, Brent Putman <putmanb at georgetown.edu> 
wrote:
> 
> 
> On 5/22/17 10:05 AM, James McClune wrote:
>> 
>> xmltooling::XMLParserException
>> xmltooling::XMLParserException at 
>> (https://sp.testshib.org/Shibboleth.sso/SAML2/POST) XML error(s) 
>> during parsing, check log for specifics
> 
> That's the Shib SP telling you there is a fundamental XML parsing 
> error on the POST of the Response+Assertion to the SP's assertion 
> consumer service (ACS) endpoint.  The real info is at the end:
> 
>> 2017-05-22 09:42:10 ERROR XMLTooling.ParserPool [1440]: fatal error 
>> on line 9, column 6612, message: invalid character 0x1
> 
> That's exactly where the invalid XML is, specifically an invalid 
> character.  If you actually pull that XML into a text editor and find 
> line 9 col 6612 (with some guesstimation to account for formatting 
> differences), you will see that there is some control character there 
> being sent as the value of an attribute:
> 
> <saml:Attribute Name="objectSid" 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue 
> xsi:type="xs:string">CONTROL CHAR 
> HERE</saml:AttributeValue></saml:Attribute>
> 
> 
> Depending on what text editor etc you are using, it may be difficult 
> to see, but in my MacVIM that location shows as a ^E, and 'od' shows 
> the same:
> 
> 0000000    <   s   a   m   l   :   A   t   t   r   i   b   u   t   e  
>   
> 0000020    N   a   m   e   =   "   o   b   j   e   c   t   S   i   d  
>  "
> 0000040        N   a   m   e   F   o   r   m   a   t   =   "   u   r  
>  n
> 0000060    :   o   a   s   i   s   :   n   a   m   e   s   :   t   c  
>  :
> 0000100    S   A   M   L   :   2   .   0   :   a   t   t   r   n   a  
>  m
> 0000120    e   -   f   o   r   m   a   t   :   b   a   s   i   c   "  
>  >
> 0000140    <   s   a   m   l   :   A   t   t   r   i   b   u   t   e  
>  V
> 0000160    a   l   u   e       x   s   i   :   t   y   p   e   =   "  
>  x
> 0000200    s   :   s   t   r   i   n   g   "   > 005   <   /   s   a  
>  m
> 0000220    l   :   A   t   t   r   i   b   u   t   e   V   a   l   u  
>  e
> 0000240    >   <   /   s   a   m   l   :   A   t   t   r   i   b   u  
>  t
> 0000260    e   >  \n                                                  
>   
> 0000263
> 
> 
> So whatever you are doing in the IdP to produce the objectSid 
> attribute is producing an illegal value, probably something binary.  
> IIRC some of the attribs in AD are binary in nature and require 
> special handling to render them as a SAML attribute.  But you'd have 
> to ask the SimpleSAMLPHP people about specifics for their software. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170522/885cc7a6/attachment.html>

More information about the users mailing list