[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Metadata parse problem BADMD - chars_parsed(0)



Hi,
I am having trouble connecting to a simpleSAMLphp IdP. I am using zxid 1.11 and Net::SAML perl module.

In /var/zxid/log/err, the following two lines appear for a login attempt, and no session is generated:


PP - 20130422-124034.030 19700101-000000.501 129.177.118.128:- - - - - 	zx N W ANREDIR https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
PP - 20130422-124034.539 19700101-000000.501 129.177.118.128:- - - - - 	zx N B BADMD - chars_parsed(0)

In the server log I get the follwing related error:
zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could not be found or was corrupt. 

I have checked the metadata with zxcot:
opendir for /var/zxid/cot (or other if configured) for loading cot cache: Not a directory
0bREBGSuS9l2hIxo9zR3NmITzoQ https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -

The server uses a self-signed certificate (CA imported such that the metadata can be fetched with curl without error). Funnily, I have this running in 
almost identical setup on another machine but without ssl. Could you guide me to what could be causing this?

Thank you very much. 
Kind regards

Michael Dondrup
Postdoctoral fellow
Sea Lice Research Centre/Department of Informatics
University of Bergen
Thormxhlensgate 55, N-5008 Bergen, 
Norway


my test script:
#!/usr/bin/perl

use strict;
use warnings;
#use local::lib qw(/export/home/licebase/perl5);
use CGI::Fast qw(:standard);
use CGI::Carp;
use Data::Dumper;
use URI::Escape;
use Net::SAML;

$| = 1;
while (my $q = CGI::Fast->new) {

  print STDERR "hello, this is zxtest.cgi\n";

  # Flush pipes, read all in at once
  print STDERR "Net::SAML version: ". Net::SAML::version_str;
  my $url = "https://lb-test.bccs.uib.no/fgb2/zxtest.cgi";;  # Edit to match your situation
  my $idp = "http://localhost:8888/simplesaml/saml2/idp/metadata.php";;
  my $conf = "URL=$url&";
  my $cf = Net::SAML::new_conf_to_cf($conf);
  #Net::SAML::init_conf($cf,"/var/zxid/");
  #Net::SAML::url_set($cf, $url);
  Net::SAML::set_opt($cf, 1 ,1); 

  print STDERR "loaded config\n";

  print STDERR Dumper ($cf);
  my $qs = $ENV{'QUERY_STRING'};
 print STDERR "QUERY_STRING: '$qs'\n";	
  carp "undef Query string" unless $qs;
  my $ruri = self_url();
  $qs = <STDIN> if $qs =~ /o=P/;
  if ($qs =~ /o=P/) {
    print STDERR "Query string read from STDIN and it is '$qs'\n";
  }     		 
  my $samlart = uri_escape( param("SAMLart") ) || "<empty>";
  print STDERR "SAMLart:=======================".$samlart;
#$qs .= "&e=l0$idp&l0=TRUE";
  print STDERR "QS: $qs\n";
#$qs = undef if $ruri =~ /$samlart/;
#print STDERR $ruri," ",$samlart, "\n";
  my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828); # keep the flags 0x1828 !!! 
  print STDERR "RESULT: $res\n";
  my $op = substr($res, 0, 1);
  print STDERR "OP: $op\n";

if ($op eq 'L' || $op eq 'C') { print $res."\r\r"; exit } # LOCATION (Redir) or CONTENT
if ($op eq 'n') { print header()."received N!"; exit; } # already handled
if ($op eq 'e') { my_render_idpsel_screen(); exit; } # not logged in
if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }
# $op == d means logged in
my ($sid) = $res =~ /^sesid: (.*)$/m;  # Extract a useful attribute from SSO output
print header();
my $resE = escapeHTML($res);

print <<HTML

   <title>ZXID perl HLO SP Mgmt & Protected Content</title>
   <body bgcolor="white"><font face="sans">

   <h1>ZXID SP Perl HLO Management & Protected Content (user logged in, session active)</h1>
 sessionid: $sid

HTML
   ;
print Net::SAML::fed_mgmt_cf($cf, undef, -1, $sid, 0x1900);

print <<HTML
<pre>
$resE
</pre>
HTML
   ;


exit;

sub my_render_idpsel_screen {  # Replaces traditional login screen

   print header();

print <<HTML;	
	<title>ZXID SP PERL HLO SSO IdP Selection</title>
	<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
	<link type="text/css" rel=stylesheet href="idpsel.css">
	<body bgcolor="white"><font face="sans">
	<h1>ZXID SP Perl HLO Federated SSO IdP Selection (user NOT logged in, no session.)</h1>
	<form method=get action="zxtest.cgi">
	
	<h3>Login Using New IdP</h3>
	
	<i>A new IdP is one whose metadata we do not have yet. We need to know
	the Entity ID in order to fetch the metadata using the well known
	location method. You will need to ask the adminstrator of the IdP to
	tell you what the EntityID is.</i>
	
	<p>IdP URL <input name=e size=60><input type=submit name=l2 value=" Login ">
HTML
	;
   print Net::SAML::idp_list_cf($cf, undef, 0);   # Get the IdP selection form
   print <<HTML;
   <h3>CoT configuration parameters your IdP may need to know</h3>
	
	Entity ID of this SP: <a href="$url?o=B">$url?o=B</a> (Click on the link to fetch SP metadata.)
	
	<input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt>
	<input type=hidden name=fq value=""><input type=hidden name=fy value="">
	<input type=hidden name=fa value=""><input type=hidden name=fm value="">
	<input type=hidden name=fp value=0><input type=hidden name=ff value=0>
	
	</form><hr><a href="http://zxid.org/";>zxid.org</a>
HTML
	;
}
}
__END__


[part of the debug output]
[Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770 zxidmeta.c:210 zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could not be found or was corrupt. MD(\r, referer: https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYrc68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq5469cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWhEDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D
[Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] ) 0 chars parsed., referer: https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYrc68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq5469cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWhEDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D
[Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770 zxidmeta.c:292 zxid_get_ent_file \tzx E ***** Parsing metadata failed for sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8), referer: https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYrc68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq5469cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&Signature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWhEDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D








<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
 <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <md:KeyDescriptor use="signing">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
       <ds:X509Data>
         <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
   </md:KeyDescriptor>
   <md:KeyDescriptor use="encryption">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
       <ds:X509Data>
         <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
   </md:KeyDescriptor>
   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SingleLogoutService.php"/>
   <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
   <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php"/>
 </md:IDPSSODescriptor>
 <md:ContactPerson contactType="technical">
   <md:SurName>Administrator</md:SurName>
   <md:EmailAddress>trouble@xxxxxxxxxxx</md:EmailAddress>
 </md:ContactPerson>
</md:EntityDescriptor>