[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working with PingFederate (Was: Re: zxid and shared/distributed filesystems?)



Hi Sampo,

   During regressing testing in my 0.53 upgrade evaluation, I found that a
canonical XML parsing issue is still lurking (present since at least 0.32).

To summarize, this is where an assertion attribute declaration like:
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">

is being malformed in zxid during canonical parsing, like:
   <saml:AttributeValue xsi:xsi:type="xs:string">

This results in errors like:
    zx d Known attribute(xsi:type) tok(15) in wrong context(980)
    ...
    E ssof: Message digest(mxW6dp7M2HaTWriNEnxo1DuKs9A=) mismatch at
sref(#_hs0J54xv2.PB_szD26Un0kdXvP), canon blob(...)
    E ssof: Bad digest. Canon problem? 3

This requires me to disable signature validation in my environment
(ZXID_SIG_FATAL = 0) for my entire CoT to parse assertions from this one
IdP.

To help independently recreate this issue, I've attached a full test
environment:
   - 0ehxHd-XJK_72zcJtiUjW9dkHEI:  IdP metadata
   - saml_assertion.txt:  example assertion with canon parsing issue
   - testme2.pl:  script used to test assertions
   - testme2_zxid_053_log.txt:  result of ./testme2.pl`cat saml_assertion.txt`
   - perl_canon.txt: correct canonical XML & digest calculated in Perl

I've been unable to trace this down--it seems buried pretty deeply in zxid's
custom XML parser.  Perhaps zxid is trying to hard-code an "xsi:" namespace
when it doesn't expect a type declaration (e.g. "Known attribute in wrong
context")?

   Any thoughts?  I'm happy to debug further, with some help.

Thanks,
Eric



On Mon, Aug 31, 2009 at 5:15 AM, Eric Rybski <rybskej@xxxxxxxxx> wrote:

> Sampo,
>
>    Attached is a sample SAMLResponse that is triggering the canon issue.
>  zxid XML canon parser is altering the "xmlns:xsi" attribute during parsing,
> truncating and concatenating it with the xsi:type attribute.  It looks like
> the digest would calculate correctly otherwise.
>
> Let me know if I can provide further information.
>
> Thanks,
> Eric
>
> On Mon, Aug 24, 2009 at 1:30 PM, <sampo@xxxxxxxxxxx> wrote:
>
>> Eric Rybski wrote:
>> > Hi Sampo,
>> >    I've been digging more deeply into the XML digest issue, and it seems
>> > there is one issue in the zxid side.  The "xsi:xsi:type" issue appears
>> to
>> > be
>> > injected by zxid, as the original message has types correctly declared
>> > like:
>> >
>> > <saml:AttributeStatement
>> > xmlns:xs="http://www.w3.org/2001/XMLSchema";><saml:Attribute
>> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>> Name="Email
>> > Address"><saml:AttributeValue *xsi:type="xs:string" xmlns:xsi="
>> > http://www.w3.org/2001/XMLSchema-instance"*>demo@localhost
>> > </saml:AttributeValue></saml:Attribute>
>> > ...
>> > </saml:AttributeStatement>
>> >
>> > The attribute declaration I noted in my last e-mail was extracted from
>> the
>> > zxid blob log line, not the original XML.  Further study revealed that
>> the
>> > original XML was correctly formed.
>> >
>> >    So, when manually correcting this issue in the XML, I now get the
>> > expected base64 digest as declared in the original PingFederate
>> > SAMLResponse. I compared the result using the following perl scripts to
>> > validate the message:
>> >
>> > # calculate digest of canon blob reported in zxid log
>> > perl -MDigest::SHA1 -MMIME::Base64 -e '$s=q{...};
>> > $d=Digest::SHA1::sha1($s);
>> > warn encode_base64($d);'
>> >
>> > # independently calculate digest (XML::CanonicalizeXML uses libxml2 to
>> > calculate  the canonical representation)
>> > perl -MXML::CanonicalizeXML -MDigest::SHA1 -MMIME::Base64 -e '$xpath =
>> > q{<XPath>(//. | //@* | //namespace::*)</XPath>}; $xml=q{...};
>> > $s=XML::CanonicalizeXML::canonicalize( $xml, $xpath, [], 1, 0 );
>> > $d=Digest::SHA1::sha1($s); warn $s; warn encode_base64($d);'
>> >
>> >    From a cursory study, it appears the issue may be related to
>> namespace
>> > parsing in function TXDEC_ELNAME (dec-templ.c).  Perhaps you could
>> provide
>> > some insight here?  I could send a complete SAMLResponse if you wish to
>> > use
>> > it for debugging purposes.
>>
>> Please do. That would be very helpful.
>>
>> Cheers,
>> --Sampo
>>
>> > Regards,
>> > Eric
>> >
>> >
>> > On Sun, Aug 23, 2009 at 9:23 PM, Eric Rybski <rybskej@xxxxxxxxx> wrote:
>> >
>> >> Sampo,
>> >> The digest I independently calculated did match ZXID.  So there must be
>> >> something different in the XML they are using to calculate the digest.
>> >> I did see a few XML parsing errors in the zxid log, like:
>> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
>> >> tok(147) in wrong context(292)
>> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
>> >> tok(147) in wrong context(292)
>> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
>> >> tok(147) in wrong context(292)
>> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
>> >> tok(147) in wrong context(292)
>> >>
>> >> These appeared to have been triggered by elements from the test LDAP
>> >> server
>> >> (serving the SAML IdP), which looked like the following:
>> >> <saml:Attribute Name="Email Address"
>> >>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
>> >> xsi:xsi:type="xs:string">demo@localhost
>> >> </saml:AttributeValue></saml:Attribute>
>> >>
>> >> Note the odd (malformed?) attribute: xsi:xsi:type="xs:string"
>> >>
>> >> I tried using libxml2 to canonicalize the original XML, and got invalid
>> >> attribute and namespace warnings on those attributes.  I've put in a
>> >> support
>> >> request to Ping for this.
>> >>
>> >> -Eric
>> >>
>> >> On Sun, Aug 23, 2009 at 9:00 AM, <sampo@xxxxxxxxxxx> wrote:
>> >>
>> >>> Eric Rybski wrote:
>> >>> > Sampo,
>> >>> >     1. Below is my current zxid.conf.  I did not change the default
>> >>> value
>> >>> > for WANT_SSO_A7N_SIGNED.
>> >>> >
>> >>> > URL=https://localhost/zxidhlo.pl
>> >>> > NICE_NAME=Test 1
>> >>> > NOSIG_FATAL=0
>> >>> > NAMEID_ENC=0
>> >>> > MD_FETCH=0
>> >>> > MD_POPULATE_CACHE=0
>> >>> >
>> >>> > I dug deeply into PingFederate configuration for my SP endpoint, and
>> >>> found
>> >>> > a
>> >>> > Signature Policy property "Always sign the SAML Assertion" which I
>> >>> have
>> >>> > now
>> >>> > enabled.  Not sure why it wasn't already enabled when importing my
>> >>> > metadata,
>> >>> > but at least now I'm getting a signature.
>> >>> >
>> >>> > Unfortunately, it looks like I'm still not in the clear.  I'm now
>> >>> getting
>> >>> > a
>> >>> > digest check error:
>> >>> > t    zxsig.c:222 zxsig_validate   zx E Message
>> >>> > digest(lYrwi9YBLpLU7ZVVyZ2+mIWLka0=) mismatch at
>> >>> > sref(#sVce0k5jDJfLg4He6AoG9b.LXKz), canon blob(...)
>> >>> > t  zxidsso.c:318 zxid_sigres_map   zx E Bad digest. Canon problem? 3
>> >>> >
>> >>> >    Is there a way I can review the zxid calculated digest, for
>> >>> comparison?
>> >>> >  It's not included in the log message.  I've contacted Ping on this
>> >>> issue,
>> >>>
>> >>> The canon blob() has what went into message digest, e.g. sha1. If
>> >>> you can get ping to print to the log what they put into the digest
>> >>> when creating the signature, you can spot the difference.
>> >>>
>> >>> Once the difference in canonicalization is found, we can start
>> >>> arguing about whose canonicalization is correct. Some of the
>> >>> things that typically wreck havoc are convoluted use of XML
>> >>> namespaces and namespace prefixes, failure to include namespaces
>> >>> that are actually used (this is actually easy to check: paste
>> >>> the canon blob to some xml validator and see if it is missing
>> >>> namespaces), and superflous whitespace, line endings, etc.
>> >>> I recommend simply omitting all whitespace you can as that increases
>> >>> the probability of interoperation significantly.
>> >>>
>> >>> > as I've tried to independently calculate the digest of the canonical
>> >>> XML
>> >>> > in
>> >>> > Perl, using the reported the blob(...) value, and I also don't match
>> >>> the
>> >>> > PingFederate SAML response digest.  (So I'm assuming this is a PF
>> >>> issue
>> >>> at
>> >>> > the moment.)
>> >>>
>> >>> Did the digest match what ZXID calculated?
>> >>>
>> >>> XML canonicalization is one of the biggest sources of bugs in
>> >>> various XML-DSIG implementations. Unfortunately this affects
>> >>> SAML interoperability in quite big way.
>> >>>
>> >>> Cheers,
>> >>> --Sampo
>> >>>
>> >>> > 2.  The SSOCircle IdP metadata is available at:
>> >>> > http://idp.ssocircle.com/idp-meta.xml
>> >>> >
>> >>> > Regards,
>> >>> > Eric
>> >>> >
>> >>> > On Sat, Aug 22, 2009 at 9:07 AM, <sampo@xxxxxxxxxxx> wrote:
>> >>> >
>> >>> >> Eric Rybski wrote:
>> >>> >> >    I'm having an issue getting digital signature validation
>> >>> >> > working with a PingFederate IdP instance.  The PF IdP metadata
>> >>> (cached
>> >>> >> in
>> >>> >> > my
>> >>> >> > cot/) includes a certificate, the POST SAMLResponse contains a
>> >>> >> signature,
>> >>> >> > and I have the IdP CA cert in my /var/zxid/pem/ca.pem. But I keep
>> >>> >> getting
>> >>> >> > errors like:
>> >>> >> >
>> >>> >> > t  zxidsso.c:559 zxid_sp_sso_finalize zx E SSO warn: assertion
>> not
>> >>> >> signed.
>> >>> >> > Sigval((null)) (nil)
>> >>> >>
>> >>> >> Checked your attachments. The assertion really is not signed.
>> >>> >>
>> >>> >> The SAML spec is unambiguous: if in metadata
>> >>> >> SPSSODescriptor/@WantAssertionsSigned is true, then
>> >>> >> the IdP MUST sign the Assertion.
>> >>> >>
>> >>> >> I ship ZXID with WANT_SSO_A7N_SIGNED=1, so unless you have changed
>> >>> >> this setting, it would appear that PingFederate is not honouring
>> >>> >> this part of the metadata.
>> >>> >>
>> >>> >> Please check this.
>> >>> >>
>> >>> >> > I've currently worked around this by setting "NOSIG_FATAL=0" in
>> >>> the
>> >>> >> > zxid.conf, but this isn't a long-term solution.
>> >>> >>
>> >>> >> > Overall, other than the above mentioned issues, the library is
>> >>> >> > working OK so far with a PingFederate IdP and perfectly with
>> >>> >> > ssocircle.com.
>> >>> >>
>> >>> >> I once had a thread about shipping the ssocircle IdP metadata
>> >>> >> with ZXID, but somehow it never happened. Can you share
>> >>> >> the ssocircle metadata with me (or the list)?
>> >>> >>
>> >>> >> Cheers,
>> >>> >> --Sampo
>> >>> >>
>> >>> >> > Thanks,
>> >>> >> > Eric
$ perl -MXML::CanonicalizeXML -MDigest::SHA1 -MMIME::Base64 -e '$xpath = q{<XPath>(//. | //@* | //namespace::*)</XPath>}; $xml=q{<saml:Assertion Version="2.0" IssueInstant="2009-10-14T15:40:32.656Z" ID="_hs0J54xv2.PB_szD26Un0kdXvP" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>LR-SAML20-PRE</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">saml.user@xxxxxxxxx</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2009-10-14T15:45:32.656Z" Recipient="https://localhost/saml.pl?o=P"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotOnOrAfter="2009-10-14T15:45:32.656Z" NotBefore="2009-10-14T15:35:32.656Z"><saml:AudienceRestriction><saml:Audience>https://localhost/saml.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-10-14T15:40:32.656Z" SessionIndex="_hs0J54xv2.PB_szD26Un0kdXvP"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema";><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="account_nickname"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>rsi_test</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>}; $s=XML::CanonicalizeXML::canonicalize( $xml, $xpath, [], 1, 0 ); $d=Digest::SHA1::sha1($s); warn $s; warn encode_base64($d);'

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_hs0J54xv2.PB_szD26Un0kdXvP" IssueInstant="2009-10-14T15:40:32.656Z" Version="2.0"><saml:Issuer>LR-SAML20-PRE</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">saml.user@xxxxxxxxx</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2009-10-14T15:45:32.656Z" Recipient="https://localhost/saml.pl?o=P";></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2009-10-14T15:35:32.656Z" NotOnOrAfter="2009-10-14T15:45:32.656Z"><saml:AudienceRestriction><saml:Audience>https://localhost/saml.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-10-14T15:40:32.656Z" SessionIndex="_hs0J54xv2.PB_szD26Un0kdXvP"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="account_nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">rsi_test</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion> at -e line 1.

mxW6dp7M2HaTWriNEnxo1DuKs9A=

[demime 1.01d removed an attachment of type application/octet-stream which had a name of 0ehxHd-XJK_72zcJtiUjW9dkHEI]
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElzc3VlSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NDBaIiBJRD0ieGJ0WThZb1BDQUEtdm9HMDVlaVFfR3VGVXVsIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5MUi1TQU1MMjAtUFJFPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDktMTAtMTRUMTU6NDA6MzIuNjU2WiIgSUQ9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWw6SXNzdWVyPkxSLVNBTUwyMC1QUkU8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2hzMEo1NHh2Mi5QQl9zekQyNlVuMGtkWHZQIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5teFc2ZHA3TTJIYVRXcmlORW54bzFEdUtzOUE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPkVmZ2J1a01GTTdndmpCaGhKVUorTXZIMGVZVzhYaXE2SmkrWmNOeFdGZ1M2OXlxaWQ3RGRwWEFVTm1sdUY0V3dqQjNlOW9VVlFSVWszajRkc0JuZmZuMDFkalYvWkZqVDYvdEIvUzU2bmZYdVd3ZGdBYVkrRGNQVmJyYm9rVEo0WEtlblZGckY2cXQwUytPRFFuNk15b3VxZGpnNC9xYXlXdGUvUUdUODhTcz08L2RzOlNpZ25hdHVyZVZhbHVlPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnNhbWwudXNlckBzb21lLmhvc3Q8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMDktMTAtMTRUMTU6NDU6MzIuNjU2WiIgUmVjaXBpZW50PSJodHRwczovL2xvY2FsaG9zdC9zYW1sLnBsP289UCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90T25PckFmdGVyPSIyMDA5LTEwLTE0VDE1OjQ1OjMyLjY1NloiIE5vdEJlZm9yZT0iMjAwOS0xMC0xNFQxNTozNTozMi42NTZaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vbG9jYWxob3N0L3NhbWwucGw%2Fbz1CPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NTZaIiBTZXNzaW9uSW5kZXg9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJhY2NvdW50X25pY2tuYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5yc2lfdGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D
$ perl testme2.pl SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElzc3VlSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NDBaIiBJRD0ieGJ0WThZb1BDQUEtdm9HMDVlaVFfR3VGVXVsIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5MUi1TQU1MMjAtUFJFPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDktMTAtMTRUMTU6NDA6MzIuNjU2WiIgSUQ9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWw6SXNzdWVyPkxSLVNBTUwyMC1QUkU8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2hzMEo1NHh2Mi5QQl9zekQyNlVuMGtkWHZQIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5teFc2ZHA3TTJIYVRXcmlORW54bzFEdUtzOUE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPkVmZ2J1a01GTTdndmpCaGhKVUorTXZIMGVZVzhYaXE2SmkrWmNOeFdGZ1M2OXlxaWQ3RGRwWEFVTm1sdUY0V3dqQjNlOW9VVlFSVWszajRkc0JuZmZuMDFkalYvWkZqVDYvdEIvUzU2bmZYdVd3ZGdBYVkrRGNQVmJyYm9rVEo0WEtlblZGckY2cXQwUytPRFFuNk15b3VxZGpnNC9xYXlXdGUvUUdUODhTcz08L2RzOlNpZ25hdHVyZVZhbHVlPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnNhbWwudXNlckBzb21lLmhvc3Q8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMDktMTAtMTRUMTU6NDU6MzIuNjU2WiIgUmVjaXBpZW50PSJodHRwczovL2xvY2FsaG9zdC9zYW1sLnBsP289UCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90T25PckFmdGVyPSIyMDA5LTEwLTE0VDE1OjQ1OjMyLjY1NloiIE5vdEJlZm9yZT0iMjAwOS0xMC0xNFQxNTozNTozMi42NTZaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vbG9jYWxob3N0L3NhbWwucGw%2Fbz1CPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NTZaIiBTZXNzaW9uSW5kZXg9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJhY2NvdW50X25pY2tuYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5yc2lfdGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D
t zxidsimp.c:1466 zxid_simple_cf_ses 	zx d QUERY_STRING(SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElzc3VlSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NDBaIiBJRD0ieGJ0WThZb1BDQUEtdm9HMDVlaVFfR3VGVXVsIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5MUi1TQU1MMjAtUFJFPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMDktMTAtMTRUMTU6NDA6MzIuNjU2WiIgSUQ9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWw6SXNzdWVyPkxSLVNBTUwyMC1QUkU8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX2hzMEo1NHh2Mi5QQl9zekQyNlVuMGtkWHZQIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5teFc2ZHA3TTJIYVRXcmlORW54bzFEdUtzOUE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPkVmZ2J1a01GTTdndmpCaGhKVUorTXZIMGVZVzhYaXE2SmkrWmNOeFdGZ1M2OXlxaWQ3RGRwWEFVTm1sdUY0V3dqQjNlOW9VVlFSVWszajRkc0JuZmZuMDFkalYvWkZqVDYvdEIvUzU2bmZYdVd3ZGdBYVkrRGNQVmJyYm9rVEo0WEtlblZGckY2cXQwUytPRFFuNk15b3VxZGpnNC9xYXlXdGUvUUdUODhTcz08L2RzOlNpZ25hdHVyZVZhbHVlPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnNhbWwudXNlckBzb21lLmhvc3Q8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMDktMTAtMTRUMTU6NDU6MzIuNjU2WiIgUmVjaXBpZW50PSJodHRwczovL2xvY2FsaG9zdC9zYW1sLnBsP289UCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90T25PckFmdGVyPSIyMDA5LTEwLTE0VDE1OjQ1OjMyLjY1NloiIE5vdEJlZm9yZT0iMjAwOS0xMC0xNFQxNTozNTozMi42NTZaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vbG9jYWxob3N0L3NhbWwucGw%2Fbz1CPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAwOS0xMC0xNFQxNTo0MDozMi42NTZaIiBTZXNzaW9uSW5kZXg9Il9oczBKNTR4djIuUEJfc3pEMjZVbjBrZFh2UCI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJhY2NvdW50X25pY2tuYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5yc2lfdGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D) 0.53
t    zxlog.c:423 zxlog            	zx d LOG(20100505-153344.568 19700101-000000.501 -:- - - - - 	zx N W REDIRDEC - sid() len=3498)
t    zxlib.c:858 zx_dec_unknown_attr 	zx d Known attribute(xsi:type) tok(15) in wrong context(980)
t  zxiddec.c:136 zxid_decode_redir_or_post 	zx d Redirect or POST was not signed at binding level 0
t    zxlog.c:595 zxlog_dup_check  	zx E Duplicate Redirect or POST assertion (unsigned) path(/opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/wir/y_RrJFirUBRuYZDbkbtJnrY9mX0)
t    zxlog.c:423 zxlog            	zx d LOG(20100505-153344.570 19700101-000000.501 -:- - - - - 	zx N C EDUP /opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/wir/y_RrJFirUBRuYZDbkbtJnrY9mX0 Redirect or POST assertion (unsigned))
t    zxlog.c:642 zxlog_blob       	zx d lk(dec_redir_post nosig): LOGBLOB15(<samlp:Response) len=2605 path(/opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/wir/y_RrJFirUBRuYZDbkbtJnrY9mX0)
t  zxidlib.c:551 zxid_saml_ok     	zx d SAML ok what(SAMLresp)
t    zxlog.c:423 zxlog            	zx d LOG(20100505-153344.570 19700101-000000.501 -:- - - - - 	zx N K SAMLOK SAMLresp -)
t  zxidlib.c:685 zxid_chk_sig     	zx d No signature in Response
t  zxidsso.c:565 zxid_sp_sso_finalize 	zx d ssof: SSOA7N received. NID(saml.user@xxxxxxxxx) FMT(1) SESIX(_hs0J54xv2.PB_szD26Un0kdXvP)
t zxidmeta.c:315 zxid_get_ent_ss  	zx d ssof: eid(LR-SAML20-PRE) path(/opt/saml/var/zxid/) cf->magic=900dc07f, md_cache_first(1), cot((nil))
t zxidmeta.c:250 zxid_get_ent_from_file 	zx d ssof: GOT META sha1_name(0ehxHd-XJK_72zcJtiUjW9dkHEI) eid(LR-SAML20-PRE)
t zxidmeta.c:157 zxid_parse_meta  	zx E ssof: Bad metadata. EntityDescriptor could not be found or was corrupt. MD(
) 0 chars parsed.
t    zxlog.c:423 zxlog            	zx d ssof: LOG(20100505-153344.571 19700101-000000.501 -:- - - - - 	zx N B BADMD - chars_parsed(0))
t zxidmeta.c:243 zxid_get_ent_from_file 	zx E ssof: ***** Parsing metadata failed for sha1_name(0ehxHd-XJK_72zcJtiUjW9dkHEI)
t zxidmeta.c:293 zxid_get_ent_from_cache 	zx d ssof: GOT FROM MEM eid(LR-SAML20-PRE)
t    zxsig.c:231 zxsig_validate   	zx E ssof: Message digest(mxW6dp7M2HaTWriNEnxo1DuKs9A=) mismatch at sref(#_hs0J54xv2.PB_szD26Un0kdXvP), canon blob(<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_hs0J54xv2.PB_szD26Un0kdXvP" IssueInstant="2009-10-14T15:40:32.656Z" Version="2.0"><saml:Issuer>LR-SAML20-PRE</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">saml.user@xxxxxxxxx</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2009-10-14T15:45:32.656Z" Recipient="https://localhost/saml.pl?o=P";></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2009-10-14T15:35:32.656Z" NotOnOrAfter="2009-10-14T15:45:32.656Z"><saml:AudienceRestriction><saml:Audience>https://localhost/saml.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-10-14T15:40:32.656Z" SessionIndex="_hs0J54xv2.PB_szD26Un0kdXvP"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="account_nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:xsi:type="xs:string">rsi_test</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>)
t  zxidsso.c:343 zxid_sigres_map  	zx E ssof: Bad digest. Canon problem? 3
t zxidmeta.c:837 zxid_my_entity_id 	zx d ssof: my_entity_id url(https://localhost/saml.pl)
t zxidmeta.c:837 zxid_my_entity_id 	zx d ssof: my_entity_id url(https://localhost/saml.pl)
t  zxidsso.c:419 zxid_validate_cond 	zx d ssof: Found audience. 0
t  zxidsso.c:442 zxid_validate_cond 	zx E ssof: NotOnOrAfter rejected with slop of 3660. Time to expiry -17520492 secs
t  zxidsso.c:482 zxid_validate_cond 	zx d ssof: NotBefore ok. Time from validity 17521092 secs
t    zxlog.c:595 zxlog_dup_check  	zx E ssof: Duplicate SSO assertion path(/opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/a7n/kD8xQ3bdbCBYCewT_ItShPqD7dQ)
t    zxlog.c:423 zxlog            	zx d ssof: LOG(20100505-153344.573 19700101-000000.501 -:- - - - - 	zx N C EDUP /opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/a7n/kD8xQ3bdbCBYCewT_ItShPqD7dQ SSO assertion)
t    zxlog.c:642 zxlog_blob       	zx d ssof: lk(sp_sso_finalize): LOGBLOB15(<saml:Assertion) len=1334 path(/opt/saml/var/zxid/log/rely/0ehxHd-XJK_72zcJtiUjW9dkHEI/a7n/kD8xQ3bdbCBYCewT_ItShPqD7dQ)
t  zxidses.c:269 zxid_put_ses     	zx d ssof: SESSION CREATED sid(SlI02Efb-914gWZfWnF7lbppC)
t  zxidepr.c:197 zxid_snarf_eprs  	zx d ssof: snarf_eprs: TOTAL wsf20 EPRs snarfed: 0
t    zxlog.c:423 zxlog            	zx d ssof: LOG(20100505-153344.570 20091014-204032.501 -:- 0ehxHd-XJK_72zcJtiUjW9dkHEI - _hs0J54xv2.PB_szD26Un0kdXvP saml.user@xxxxxxxxx 	zx V K NEWSES SlI02Efb-914gWZfWnF7lbppC sesix(_hs0J54xv2.PB_szD26Un0kdXvP))
t    zxlog.c:423 zxlog            	zx d ssof: LOG(20100505-153344.570 20091014-204032.501 -:- 0ehxHd-XJK_72zcJtiUjW9dkHEI - _hs0J54xv2.PB_szD26Un0kdXvP saml.user@xxxxxxxxx 	zx V K FEDSSO _hs0J54xv2.PB_szD26Un0kdXvP -)
t  zxidspx.c:110 zxid_sp_dispatch 	zx d ret=3
t zxidsimp.c:1308 zxid_simple_no_ses_cf 	zx d POST dispatch_loc(O)
t zxidsimp.c:1290 zxid_simple_no_ses_cf 	zx d show_protected_content_setcookie: (ssid)
t zxidpool.c:546 zxid_ses_to_pool 	zx d ab_pep: ses_to_pool: adding a7n 0x818f458 to pool
t zxidpool.c:468 zxid_add_at_values 	zx d ab_pep: ses_to_pool: Adding value: 0x81f34c0
t zxidpool.c:477 zxid_add_at_values 	zx d ab_pep: ses_to_pool: copy val(rsi_test)
t zxidmeta.c:837 zxid_my_entity_id 	zx d ab_pep: ses_to_pool: my_entity_id url(https://localhost/saml.pl)
t zxidpool.c:574 zxid_ses_to_pool 	zx d ab_pep: ses_to_pool: RelayState()
t zxidsimp.c:617 zxid_localpdp    	zx d ab_pep: Permit by local PDP 1
t    zxlog.c:423 zxlog            	zx d ab_pep: LOG(20100505-153344.589 19700101-000000.501 -:- - - - saml.user@xxxxxxxxx 	zx N K SHOWPC SlI02Efb-914gWZfWnF7lbppC -)

[demime 1.01d removed an attachment of type application/octet-stream which had a name of testme2.pl]