[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metadata parse problem BADMD - chars_parsed(0)



Version and platform info, please. See more inline.

Aaron Anderson <aaron.anderson@xxxxxxxxxxxx> said:
> I've only just started using ZXID but I'll see if I can help. What's
> unclear to me is where the error is occurring. From the debug output it's
> not able to find the entity descriptor but the referrer is the SAML
> request. Does this mean the IDP already authenticated you? Is it having
> problems parsing the entity ID from the SAML response?

You are trying to run Net::SAML as SP towards simplesamlphp IdP. For
the SP to contact the IdP it must understand the IdP's metadata. Thus
I believe it never went to the IdP and user was not authenticated.

> On Mon, Apr 22, 2013 at 8:26 AM, Michael Dondrup
> <michael.dondrup@xxxxxx>wrote:
> 
> > Hi,
> > I am having trouble connecting to a simpleSAMLphp IdP. I am using zxid
> > 1.11 and Net::SAML perl module.
> >
> > In /var/zxid/log/err, the following two lines appear for a login attempt,
> > and no session is generated:
> >
> >
> > PP - 20130422-124034.030 19700101-000000.501 129.177.118.128:- - - - -
> >  zx N W ANREDIR
> > https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
> > PP - 20130422-124034.539 19700101-000000.501 129.177.118.128:- - - - -
> >  zx N B BADMD - chars_parsed(0)

I tried accessing https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php
and the metadata seemed to be superficially OK. I can't outright explain why
you get BADMD at zero chars parsed. Possible explanations:

* Permissions problem: although metadata was fetched writing it
  to disk failed and the later reading it returns 0 bytes.
* Permissions problem: metadata was fetched and stored (perhaps using
  zxcot utility), but it is not readable by Net::SAML, which runs
  using permissions of the web server (as www-data user on Ubuntu).
* Disk full, zero sized metadata file.

Basically if you look at the metadata and zxidmeta.c, it should
take the "if" on zxidmeta.c:189. The parser has not seen the
EntityDescriptor tag and goes on chasing other possibilities
we know will fail due to the input.

> > In the server log I get the follwing related error:
> > zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could not be found
> > or was corrupt.
> >
> > I have checked the metadata with zxcot:
> > opendir for /var/zxid/cot (or other if configured) for loading cot cache:
> > Not a directory
> > 0bREBGSuS9l2hIxo9zR3NmITzoQ
> > https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -

Can you run zxcot utility (should have been compiled when you
built Net::SAML)?

> > The server uses a self-signed certificate (CA imported such that the
> > metadata can be fetched with curl without error). Funnily, I have this
> > running in
> > almost identical setup on another machine but without ssl. Could you guide
> > me to what could be causing this?

The selfsigned cert should not be a problem.

Cheers,
--Sampo

> > Thank you very much.
> > Kind regards
> >
> > Michael Dondrup
> > Postdoctoral fellow
> > Sea Lice Research Centre/Department of Informatics
> > University of Bergen
> > Thormxhlensgate 55, N-5008 Bergen,
> > Norway
> >
> >
> > my test script:
> > #!/usr/bin/perl
> >
> > use strict;
> > use warnings;
> > #use local::lib qw(/export/home/licebase/perl5);
> > use CGI::Fast qw(:standard);
> > use CGI::Carp;
> > use Data::Dumper;
> > use URI::Escape;
> > use Net::SAML;
> >
> > $| = 1;
> > while (my $q = CGI::Fast->new) {
> >
> >   print STDERR "hello, this is zxtest.cgi\n";
> >
> >   # Flush pipes, read all in at once
> >   print STDERR "Net::SAML version: ". Net::SAML::version_str;
> >   my $url = "https://lb-test.bccs.uib.no/fgb2/zxtest.cgi";;  # Edit to
> > match your situation
> >   my $idp = "http://localhost:8888/simplesaml/saml2/idp/metadata.php";;
> >   my $conf = "URL=$url&";
> >   my $cf = Net::SAML::new_conf_to_cf($conf);
> >   #Net::SAML::init_conf($cf,"/var/zxid/");
> >   #Net::SAML::url_set($cf, $url);
> >   Net::SAML::set_opt($cf, 1 ,1);
> >
> >   print STDERR "loaded config\n";
> >
> >   print STDERR Dumper ($cf);
> >   my $qs = $ENV{'QUERY_STRING'};
> >  print STDERR "QUERY_STRING: '$qs'\n";
> >   carp "undef Query string" unless $qs;
> >   my $ruri = self_url();
> >   $qs = <STDIN> if $qs =~ /o=P/;
> >   if ($qs =~ /o=P/) {
> >     print STDERR "Query string read from STDIN and it is '$qs'\n";
> >   }
> >   my $samlart = uri_escape( param("SAMLart") ) || "<empty>";
> >   print STDERR "SAMLart:=======================".$samlart;
> > #$qs .= "&e=l0$idp&l0=TRUE";
> >   print STDERR "QS: $qs\n";
> > #$qs = undef if $ruri =~ /$samlart/;
> > #print STDERR $ruri," ",$samlart, "\n";
> >   my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828); # keep the
> > flags 0x1828 !!!
> >   print STDERR "RESULT: $res\n";
> >   my $op = substr($res, 0, 1);
> >   print STDERR "OP: $op\n";
> >
> > if ($op eq 'L' || $op eq 'C') { print $res."\r\r"; exit } # LOCATION
> > (Redir) or CONTENT
> > if ($op eq 'n') { print header()."received N!"; exit; } # already handled
> > if ($op eq 'e') { my_render_idpsel_screen(); exit; } # not logged in
> > if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }
> > # $op == d means logged in
> > my ($sid) = $res =~ /^sesid: (.*)$/m;  # Extract a useful attribute from
> > SSO output
> > print header();
> > my $resE = escapeHTML($res);
> >
> > print <<HTML
> >
> >    <title>ZXID perl HLO SP Mgmt & Protected Content</title>
> >    <body bgcolor="white"><font face="sans">
> >
> >    <h1>ZXID SP Perl HLO Management & Protected Content (user logged in,
> > session active)</h1>
> >  sessionid: $sid
> >
> > HTML
> >    ;
> > print Net::SAML::fed_mgmt_cf($cf, undef, -1, $sid, 0x1900);
> >
> > print <<HTML
> > <pre>
> > $resE
> > </pre>
> > HTML
> >    ;
> >
> >
> > exit;
> >
> > sub my_render_idpsel_screen {  # Replaces traditional login screen
> >
> >    print header();
> >
> > print <<HTML;
> >         <title>ZXID SP PERL HLO SSO IdP Selection</title>
> >         <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
> >         <link type="text/css" rel=stylesheet href="idpsel.css">
> >         <body bgcolor="white"><font face="sans">
> >         <h1>ZXID SP Perl HLO Federated SSO IdP Selection (user NOT logged
> > in, no session.)</h1>
> >         <form method=get action="zxtest.cgi">
> >
> >         <h3>Login Using New IdP</h3>
> >
> >         <i>A new IdP is one whose metadata we do not have yet. We need to
> > know
> >         the Entity ID in order to fetch the metadata using the well known
> >         location method. You will need to ask the adminstrator of the IdP
> > to
> >         tell you what the EntityID is.</i>
> >
> >         <p>IdP URL <input name=e size=60><input type=submit name=l2
> > value=" Login ">
> > HTML
> >         ;
> >    print Net::SAML::idp_list_cf($cf, undef, 0);   # Get the IdP selection
> > form
> >    print <<HTML;
> >    <h3>CoT configuration parameters your IdP may need to know</h3>
> >
> >         Entity ID of this SP: <a href="$url?o=B">$url?o=B</a> (Click on
> > the link to fetch SP metadata.)
> >
> >         <input type=hidden name=fc value=1><input type=hidden name=fn
> > value=prstnt>
> >         <input type=hidden name=fq value=""><input type=hidden name=fy
> > value="">
> >         <input type=hidden name=fa value=""><input type=hidden name=fm
> > value="">
> >         <input type=hidden name=fp value=0><input type=hidden name=ff
> > value=0>
> >
> >         </form><hr><a href="http://zxid.org/";>zxid.org</a>
> > HTML
> >         ;
> > }
> > }
> > __END__
> >
> >
> > [part of the debug output]
> > [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
> > zxidmeta.c:210 zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could
> > not be found or was corrupt. MD(\r, referer:
> >
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
> 2B4ctBkGRo9B6CFraWR9I8TT
> > !
> >  yngaSGcNLmg4%3D
> > [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] ) 0 chars
> > parsed., referer:
> >
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
> 2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D
> > [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
> > zxidmeta.c:292 zxid_get_ent_file \tzx E ***** Parsing metadata failed for
> > sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8), referer:
> >
> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
> 2B4ctBkGRo9B6CFraWR9I8
> > !
> >  TTyngaSGcNLmg4%3D
> >
> >
> >
> >
> >
> >
> >
> >
> > <?xml version="1.0"?>
> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="
> > https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
> >  <md:IDPSSODescriptor
> > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> >    <md:KeyDescriptor use="signing">
> >      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >        <ds:X509Data>
> >
> >
> <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
> 1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
> dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
> AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
> TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
> FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
> R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
> BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
> Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
> Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
> tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
> K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
> >        </ds:X509Data>
> >      </ds:KeyInfo>
> >    </md:KeyDescriptor>
> >    <md:KeyDescriptor use="encryption">
> >      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >        <ds:X509Data>
> >
> >
> <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
> 1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
> dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
> AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
> TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
> FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
> R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
> BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
> Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
> Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
> tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
> K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
> >        </ds:X509Data>
> >      </ds:KeyInfo>
> >    </md:KeyDescriptor>
> >    <md:SingleLogoutService
> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> > https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SingleLogoutService.php
> > "/>
> >
> >
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:Name
> IDFormat>
> >    <md:SingleSignOnService
> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> > https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php"/>
> >  </md:IDPSSODescriptor>
> >  <md:ContactPerson contactType="technical">
> >    <md:SurName>Administrator</md:SurName>
> >    <md:EmailAddress>trouble@xxxxxxxxxxx</md:EmailAddress>
> >  </md:ContactPerson>
> > </md:EntityDescriptor>
> >
> >
> 
> 
> --
> 
> ___________________________________
> IDMWORKS
> Aaron Anderson
> Calgary, AB, Canada****
> 
> Office: 888-687-0436
> Cell: 403-701-2846
> www.idmworks.com ****
> 
> aaron.anderson@xxxxxxxxxxxx
> Blog: www.idmworks.com/blog