[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metadata parse problem BADMD - chars_parsed(0)



I've only just started using ZXID but I'll see if I can help. What's
unclear to me is where the error is occurring. From the debug output it's
not able to find the entity descriptor but the referrer is the SAML
request. Does this mean the IDP already authenticated you? Is it having
problems parsing the entity ID from the SAML response?


On Mon, Apr 22, 2013 at 8:26 AM, Michael Dondrup
<michael.dondrup@xxxxxx>wrote:

> Hi,
> I am having trouble connecting to a simpleSAMLphp IdP. I am using zxid
> 1.11 and Net::SAML perl module.
>
> In /var/zxid/log/err, the following two lines appear for a login attempt,
> and no session is generated:
>
>
> PP - 20130422-124034.030 19700101-000000.501 129.177.118.128:- - - - -
>  zx N W ANREDIR
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
> PP - 20130422-124034.539 19700101-000000.501 129.177.118.128:- - - - -
>  zx N B BADMD - chars_parsed(0)
>
> In the server log I get the follwing related error:
> zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could not be found
> or was corrupt.
>
> I have checked the metadata with zxcot:
> opendir for /var/zxid/cot (or other if configured) for loading cot cache:
> Not a directory
> 0bREBGSuS9l2hIxo9zR3NmITzoQ
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
>
> The server uses a self-signed certificate (CA imported such that the
> metadata can be fetched with curl without error). Funnily, I have this
> running in
> almost identical setup on another machine but without ssl. Could you guide
> me to what could be causing this?
>
> Thank you very much.
> Kind regards
>
> Michael Dondrup
> Postdoctoral fellow
> Sea Lice Research Centre/Department of Informatics
> University of Bergen
> Thormxhlensgate 55, N-5008 Bergen,
> Norway
>
>
> my test script:
> #!/usr/bin/perl
>
> use strict;
> use warnings;
> #use local::lib qw(/export/home/licebase/perl5);
> use CGI::Fast qw(:standard);
> use CGI::Carp;
> use Data::Dumper;
> use URI::Escape;
> use Net::SAML;
>
> $| = 1;
> while (my $q = CGI::Fast->new) {
>
>   print STDERR "hello, this is zxtest.cgi\n";
>
>   # Flush pipes, read all in at once
>   print STDERR "Net::SAML version: ". Net::SAML::version_str;
>   my $url = "https://lb-test.bccs.uib.no/fgb2/zxtest.cgi";;  # Edit to
> match your situation
>   my $idp = "http://localhost:8888/simplesaml/saml2/idp/metadata.php";;
>   my $conf = "URL=$url&";
>   my $cf = Net::SAML::new_conf_to_cf($conf);
>   #Net::SAML::init_conf($cf,"/var/zxid/");
>   #Net::SAML::url_set($cf, $url);
>   Net::SAML::set_opt($cf, 1 ,1);
>
>   print STDERR "loaded config\n";
>
>   print STDERR Dumper ($cf);
>   my $qs = $ENV{'QUERY_STRING'};
>  print STDERR "QUERY_STRING: '$qs'\n";
>   carp "undef Query string" unless $qs;
>   my $ruri = self_url();
>   $qs = <STDIN> if $qs =~ /o=P/;
>   if ($qs =~ /o=P/) {
>     print STDERR "Query string read from STDIN and it is '$qs'\n";
>   }
>   my $samlart = uri_escape( param("SAMLart") ) || "<empty>";
>   print STDERR "SAMLart:=======================".$samlart;
> #$qs .= "&e=l0$idp&l0=TRUE";
>   print STDERR "QS: $qs\n";
> #$qs = undef if $ruri =~ /$samlart/;
> #print STDERR $ruri," ",$samlart, "\n";
>   my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828); # keep the
> flags 0x1828 !!!
>   print STDERR "RESULT: $res\n";
>   my $op = substr($res, 0, 1);
>   print STDERR "OP: $op\n";
>
> if ($op eq 'L' || $op eq 'C') { print $res."\r\r"; exit } # LOCATION
> (Redir) or CONTENT
> if ($op eq 'n') { print header()."received N!"; exit; } # already handled
> if ($op eq 'e') { my_render_idpsel_screen(); exit; } # not logged in
> if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }
> # $op == d means logged in
> my ($sid) = $res =~ /^sesid: (.*)$/m;  # Extract a useful attribute from
> SSO output
> print header();
> my $resE = escapeHTML($res);
>
> print <<HTML
>
>    <title>ZXID perl HLO SP Mgmt & Protected Content</title>
>    <body bgcolor="white"><font face="sans">
>
>    <h1>ZXID SP Perl HLO Management & Protected Content (user logged in,
> session active)</h1>
>  sessionid: $sid
>
> HTML
>    ;
> print Net::SAML::fed_mgmt_cf($cf, undef, -1, $sid, 0x1900);
>
> print <<HTML
> <pre>
> $resE
> </pre>
> HTML
>    ;
>
>
> exit;
>
> sub my_render_idpsel_screen {  # Replaces traditional login screen
>
>    print header();
>
> print <<HTML;
>         <title>ZXID SP PERL HLO SSO IdP Selection</title>
>         <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
>         <link type="text/css" rel=stylesheet href="idpsel.css">
>         <body bgcolor="white"><font face="sans">
>         <h1>ZXID SP Perl HLO Federated SSO IdP Selection (user NOT logged
> in, no session.)</h1>
>         <form method=get action="zxtest.cgi">
>
>         <h3>Login Using New IdP</h3>
>
>         <i>A new IdP is one whose metadata we do not have yet. We need to
> know
>         the Entity ID in order to fetch the metadata using the well known
>         location method. You will need to ask the adminstrator of the IdP
> to
>         tell you what the EntityID is.</i>
>
>         <p>IdP URL <input name=e size=60><input type=submit name=l2
> value=" Login ">
> HTML
>         ;
>    print Net::SAML::idp_list_cf($cf, undef, 0);   # Get the IdP selection
> form
>    print <<HTML;
>    <h3>CoT configuration parameters your IdP may need to know</h3>
>
>         Entity ID of this SP: <a href="$url?o=B">$url?o=B</a> (Click on
> the link to fetch SP metadata.)
>
>         <input type=hidden name=fc value=1><input type=hidden name=fn
> value=prstnt>
>         <input type=hidden name=fq value=""><input type=hidden name=fy
> value="">
>         <input type=hidden name=fa value=""><input type=hidden name=fm
> value="">
>         <input type=hidden name=fp value=0><input type=hidden name=ff
> value=0>
>
>         </form><hr><a href="http://zxid.org/";>zxid.org</a>
> HTML
>         ;
> }
> }
> __END__
>
>
> [part of the debug output]
> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
> zxidmeta.c:210 zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could
> not be found or was corrupt. MD(\r, referer:
>
https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
2B4ctBkGRo9B6CFraWR9I8TT
> !
>  yngaSGcNLmg4%3D
> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] ) 0 chars
> parsed., referer:
>
https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D
> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
> zxidmeta.c:292 zxid_get_ent_file \tzx E ***** Parsing metadata failed for
> sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8), referer:
>
https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
2B4ctBkGRo9B6CFraWR9I8
> !
>  TTyngaSGcNLmg4%3D
>
>
>
>
>
>
>
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
>  <md:IDPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>    <md:KeyDescriptor use="signing">
>      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>        <ds:X509Data>
>
>
<ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
>        </ds:X509Data>
>      </ds:KeyInfo>
>    </md:KeyDescriptor>
>    <md:KeyDescriptor use="encryption">
>      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>        <ds:X509Data>
>
>
<ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
>        </ds:X509Data>
>      </ds:KeyInfo>
>    </md:KeyDescriptor>
>    <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SingleLogoutService.php
> "/>
>
>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:Name
IDFormat>
>    <md:SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php"/>
>  </md:IDPSSODescriptor>
>  <md:ContactPerson contactType="technical">
>    <md:SurName>Administrator</md:SurName>
>    <md:EmailAddress>trouble@xxxxxxxxxxx</md:EmailAddress>
>  </md:ContactPerson>
> </md:EntityDescriptor>
>
>


--

___________________________________
IDMWORKS
Aaron Anderson
Calgary, AB, Canada****

Office: 888-687-0436
Cell: 403-701-2846
www.idmworks.com ****

aaron.anderson@xxxxxxxxxxxx
Blog: www.idmworks.com/blog



------
The information contained in this email message and any attachment may be
privileged, confidential, proprietary or otherwise protected from disclosure.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution, copying or use of this message
and any attachment is strictly prohibited. If you have received this message
in error, please notify us immediately by replying to the message and
permanently delete it from your computer and destroy any printout thereof.