[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metadata parse problem BADMD - chars_parsed(0)



Hi,

thank you very much for your responses. I have been debugging for some time, 
also following your suggestions . Please see my responses inline.

Hope you can guide me further.

Best
Michael


On Apr 22, 2013, at 8:05 PM, sampo@xxxxxxxxx wrote:

> Version and platform info, please. See more inline.

zxid 1.11 compiled from source. We updated from a previous version 1.01 installed via CPAN.
Output of version_string:  1.11 1352851694 libzxid (zxid.org)

(make samlmod; make samlmod_install) on 
a relatively old CentOS 5.4:
[m@test-fe cot]$ uname -a
Linux test-fe.bccs.uib.no 2.6.18-274.12.1.el5xen #1 SMP Tue Nov 29 14:18:21 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
Perl:
This is perl, v5.8.8 built for x86_64-linux-thread-multi
Apache/2.2.3 (CentOS) Server at lb-test.bccs.uib.no Port 443 with running with mod_fcgid enabled.
simplesamlphp (1.10.0) with php5.3.3, SAML 2 IdP enabled (shib 1.3 disabled) using the test certificates.

> 
> Aaron Anderson <aaron.anderson@xxxxxxxxxxxx> said:
>> I've only just started using ZXID but I'll see if I can help. What's
>> unclear to me is where the error is occurring. From the debug output it's
>> not able to find the entity descriptor but the referrer is the SAML
>> request. Does this mean the IDP already authenticated you? Is it having
>> problems parsing the entity ID from the SAML response?
> 
> You are trying to run Net::SAML as SP towards simplesamlphp IdP. For
> the SP to contact the IdP it must understand the IdP's metadata. Thus
> I believe it never went to the IdP and user was not authenticated.

The IdP has the registered the metadata of the Net::SAML SP. After choosing an IdP
in the SP, the browser is redirected to the IdP login page. After login, IdP redirects to
Net::SAML SP. But the SP script shows: No session, user not logged in. Checking via
th IdP admin interface, however, shows that the user is logged in at the IdP and also with other 
applications using the IdP. Subsequent login attempts viaNet::SAML SP redirect directly back to
the SP without having to enter credentials, but according to SP there is no session.



> 
>> On Mon, Apr 22, 2013 at 8:26 AM, Michael Dondrup
>> <michael.dondrup@xxxxxx>wrote:
>> 
>>> Hi,
>>> I am having trouble connecting to a simpleSAMLphp IdP. I am using zxid
>>> 1.11 and Net::SAML perl module.
>>> 
>>> In /var/zxid/log/err, the following two lines appear for a login attempt,
>>> and no session is generated:
>>> 
>>> 
>>> PP - 20130422-124034.030 19700101-000000.501 129.177.118.128:- - - - -
>>> zx N W ANREDIR
>>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
>>> PP - 20130422-124034.539 19700101-000000.501 129.177.118.128:- - - - -
>>> zx N B BADMD - chars_parsed(0)
> 
> I tried accessing https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php
> and the metadata seemed to be superficially OK. I can't outright explain why
> you get BADMD at zero chars parsed. Possible explanations:
> 
> * Permissions problem: although metadata was fetched writing it
>  to disk failed and the later reading it returns 0 bytes.

The metadata is in fact found in /var/zxid/cot in this file
-rw-r--r-- 1 apache apache 3090 Mar 18 14:05 0bREBGSuS9l2hIxo9zR3NmITzoQ
The file seems to contain the metadata from the IdP. However there are differences between the 
original metadata as retrieved from the IdP and the stored version. The xml identifier and namespace uri's
have been stripped from the stored file:

$ diff metadata.php 0bREBGSuS9l2hIxo9zR3NmITzoQ 
1,2c1
< <?xml version="1.0"?>
< <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
---
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
26c25
< </md:EntityDescriptor>
---
> </md:EntityDescriptor>
\ No newline at end of file
After moving the meta datafile away,
 when accessing the IdP, a new file 0bREBGSuS9l2hIxo9zR3NmITzoQ is created and stored in /var/zxid/cot with the
identical content as the old one (created by zxid v. 1.01).

> * Permissions problem: metadata was fetched and stored (perhaps using
>  zxcot utility), but it is not readable by Net::SAML, which runs
>  using permissions of the web server (as www-data user on Ubuntu).

httpd is running as user apache, all files and directories under /var/zxid are owned by apache. Also,
we made files world readable for now to no avail.

$ ls -l /var/zxid
total 48
drwxr-xr-x 6 apache apache 4096 Mar 18 12:56 1.01
drwxrwsr-x 2 apache apache 4096 Apr 23 10:08 cot
-rw-r--r-- 1 root   root   4940 Apr 19 12:00 index.html
drwxrwsr-x 2 apache apache 4096 Mar 18 12:56 inv
drwxrwsr-x 4 apache apache 4096 Apr 19 11:54 log
-rw-r--r-- 1 root   root   3159 Apr 19 11:59 metadata.php
drwxrwsr-x 2 apache apache 4096 Mar 18 12:56 nid
drwxr-sr-x 2 apache apache 4096 Mar 25 11:23 pem
drwxrwsr-x 2 apache apache 4096 Mar 18 12:56 ses
drwxrwsr-x 2 apache apache 4096 Mar 18 12:56 uid
drwxrwsr-x 2 apache apache 4096 Mar 18 12:56 user

$ ls -l /var/zxid/cot
total 60
-rw-r--r-- 1 apache apache  3090 Apr 23 10:08 0bREBGSuS9l2hIxo9zR3NmITzoQ
-rw-r--r-- 1 apache apache  3090 Mar 18 14:05 0bREBGSuS9l2hIxo9zR3NmITzoQ_bak
-rw-r--r-- 1 apache apache 30344 Mar 18 13:08 _CBGcFVVbIEmt5oh3jUx4GEfHLM
-rw-r--r-- 1 apache apache  2166 Mar 18 13:08 OKCy5mMaXMJUnKQ1wVJCcT00AA8
-rw-r--r-- 1 apache apache  4185 Mar 18 13:08 s36Te-rgbzReSjVc8vDDGy89tT8
-rw-r--r-- 1 apache apache  3109 Mar 25 14:18 UOwaVaEsNcXfZ-Rx_1WjiYGES30
-rw-r--r-- 1 apache apache  2608 Mar 18 13:08 ZLIYSwzbSQdzIWHISwoWtdrx6JI




> * Disk full, zero sized metadata file.
> 
No, there should be enough space:

$ df -h /tmp
Filesystem            Size  Used Avail Use% Mounted on
none                  512M   83M  430M  17% /tmp
$ df -h /var/zxid
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-root
                       11G  6.0G  4.1G  60% /


> Basically if you look at the metadata and zxidmeta.c, it should
> take the "if" on zxidmeta.c:189. The parser has not seen the
> EntityDescriptor tag and goes on chasing other possibilities
> we know will fail due to the input.
> 
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>

the tag is the first line of the saved metadata file.


>>> In the server log I get the follwing related error:
>>> zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could not be found
>>> or was corrupt.
>>> 
>>> I have checked the metadata with zxcot:
>>> opendir for /var/zxid/cot (or other if configured) for loading cot cache:
>>> Not a directory
>>> 0bREBGSuS9l2hIxo9zR3NmITzoQ
>>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
> 
> Can you run zxcot utility (should have been compiled when you
> built Net::SAML)?

~/compile/zxid-1.12/zxcot 
t2af9ef48d340 zxidmeta.c:153 zxid_mk_ent      cot I Metadata only had signing certificate. Using it for encryption as well. 0
/var/zxid/cot/ZLIYSwzbSQdzIWHISwoWtdrx6JI http://auth.orange.fr                              -
/var/zxid/cot/UOwaVaEsNcXfZ-Rx_1WjiYGES30 https://openidp.feide.no                           -
/var/zxid/cot/0bREBGSuS9l2hIxo9zR3NmITzoQ https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php -
/var/zxid/cot/s36Te-rgbzReSjVc8vDDGy89tT8 http://idp.ssocircle.com                           -
/var/zxid/cot/_CBGcFVVbIEmt5oh3jUx4GEfHLM https://idp.symdemo.com:8880/idp.xml               -
t2af9ef48d340 zxidmeta.c:153 zxid_mk_ent      cot I Metadata only had signing certificate. Using it for encryption as well. 0
/var/zxid/cot/OKCy5mMaXMJUnKQ1wVJCcT00AA8 http://auth-int.orange.fr                          -

looks ok to me.

> 
>>> The server uses a self-signed certificate (CA imported such that the
>>> metadata can be fetched with curl without error). Funnily, I have this
>>> running in
>>> almost identical setup on another machine but without ssl. Could you guide
>>> me to what could be causing this?
> 
> The selfsigned cert should not be a problem.
> 
> Cheers,
> --Sampo
> 
>>> Thank you very much.
>>> Kind regards
>>> 
>>> Michael Dondrup
>>> Postdoctoral fellow
>>> Sea Lice Research Centre/Department of Informatics
>>> University of Bergen
>>> Thormxhlensgate 55, N-5008 Bergen,
>>> Norway
>>> 
>>> 
>>> my test script:
>>> #!/usr/bin/perl
>>> 
>>> use strict;
>>> use warnings;
>>> #use local::lib qw(/export/home/licebase/perl5);
>>> use CGI::Fast qw(:standard);
>>> use CGI::Carp;
>>> use Data::Dumper;
>>> use URI::Escape;
>>> use Net::SAML;
>>> 
>>> $| = 1;
>>> while (my $q = CGI::Fast->new) {
>>> 
>>>  print STDERR "hello, this is zxtest.cgi\n";
>>> 
>>>  # Flush pipes, read all in at once
>>>  print STDERR "Net::SAML version: ". Net::SAML::version_str;
>>>  my $url = "https://lb-test.bccs.uib.no/fgb2/zxtest.cgi";;  # Edit to
>>> match your situation
>>>  my $idp = "http://localhost:8888/simplesaml/saml2/idp/metadata.php";;
>>>  my $conf = "URL=$url&";
>>>  my $cf = Net::SAML::new_conf_to_cf($conf);
>>>  #Net::SAML::init_conf($cf,"/var/zxid/");
>>>  #Net::SAML::url_set($cf, $url);
>>>  Net::SAML::set_opt($cf, 1 ,1);
>>> 
>>>  print STDERR "loaded config\n";
>>> 
>>>  print STDERR Dumper ($cf);
>>>  my $qs = $ENV{'QUERY_STRING'};
>>> print STDERR "QUERY_STRING: '$qs'\n";
>>>  carp "undef Query string" unless $qs;
>>>  my $ruri = self_url();
>>>  $qs = <STDIN> if $qs =~ /o=P/;
>>>  if ($qs =~ /o=P/) {
>>>    print STDERR "Query string read from STDIN and it is '$qs'\n";
>>>  }
>>>  my $samlart = uri_escape( param("SAMLart") ) || "<empty>";
>>>  print STDERR "SAMLart:=======================".$samlart;
>>> #$qs .= "&e=l0$idp&l0=TRUE";
>>>  print STDERR "QS: $qs\n";
>>> #$qs = undef if $ruri =~ /$samlart/;
>>> #print STDERR $ruri," ",$samlart, "\n";
>>>  my $res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828); # keep the
>>> flags 0x1828 !!!
>>>  print STDERR "RESULT: $res\n";
>>>  my $op = substr($res, 0, 1);
>>>  print STDERR "OP: $op\n";
>>> 
>>> if ($op eq 'L' || $op eq 'C') { print $res."\r\r"; exit } # LOCATION
>>> (Redir) or CONTENT
>>> if ($op eq 'n') { print header()."received N!"; exit; } # already handled
>>> if ($op eq 'e') { my_render_idpsel_screen(); exit; } # not logged in
>>> if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }
>>> # $op == d means logged in
>>> my ($sid) = $res =~ /^sesid: (.*)$/m;  # Extract a useful attribute from
>>> SSO output
>>> print header();
>>> my $resE = escapeHTML($res);
>>> 
>>> print <<HTML
>>> 
>>>   <title>ZXID perl HLO SP Mgmt & Protected Content</title>
>>>   <body bgcolor="white"><font face="sans">
>>> 
>>>   <h1>ZXID SP Perl HLO Management & Protected Content (user logged in,
>>> session active)</h1>
>>> sessionid: $sid
>>> 
>>> HTML
>>>   ;
>>> print Net::SAML::fed_mgmt_cf($cf, undef, -1, $sid, 0x1900);
>>> 
>>> print <<HTML
>>> <pre>
>>> $resE
>>> </pre>
>>> HTML
>>>   ;
>>> 
>>> 
>>> exit;
>>> 
>>> sub my_render_idpsel_screen {  # Replaces traditional login screen
>>> 
>>>   print header();
>>> 
>>> print <<HTML;
>>>        <title>ZXID SP PERL HLO SSO IdP Selection</title>
>>>        <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
>>>        <link type="text/css" rel=stylesheet href="idpsel.css">
>>>        <body bgcolor="white"><font face="sans">
>>>        <h1>ZXID SP Perl HLO Federated SSO IdP Selection (user NOT logged
>>> in, no session.)</h1>
>>>        <form method=get action="zxtest.cgi">
>>> 
>>>        <h3>Login Using New IdP</h3>
>>> 
>>>        <i>A new IdP is one whose metadata we do not have yet. We need to
>>> know
>>>        the Entity ID in order to fetch the metadata using the well known
>>>        location method. You will need to ask the adminstrator of the IdP
>>> to
>>>        tell you what the EntityID is.</i>
>>> 
>>>        <p>IdP URL <input name=e size=60><input type=submit name=l2
>>> value=" Login ">
>>> HTML
>>>        ;
>>>   print Net::SAML::idp_list_cf($cf, undef, 0);   # Get the IdP selection
>>> form
>>>   print <<HTML;
>>>   <h3>CoT configuration parameters your IdP may need to know</h3>
>>> 
>>>        Entity ID of this SP: <a href="$url?o=B">$url?o=B</a> (Click on
>>> the link to fetch SP metadata.)
>>> 
>>>        <input type=hidden name=fc value=1><input type=hidden name=fn
>>> value=prstnt>
>>>        <input type=hidden name=fq value=""><input type=hidden name=fy
>>> value="">
>>>        <input type=hidden name=fa value=""><input type=hidden name=fm
>>> value="">
>>>        <input type=hidden name=fp value=0><input type=hidden name=ff
>>> value=0>
>>> 
>>>        </form><hr><a href="http://zxid.org/";>zxid.org</a>
>>> HTML
>>>        ;
>>> }
>>> }
>>> __END__
>>> 
>>> 
>>> [part of the debug output]
>>> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
>>> zxidmeta.c:210 zxid_parse_meta  \tzx E Bad metadata. EntityDescriptor could
>>> not be found or was corrupt. MD(\r, referer:
>>> 
>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
>> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
>> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
>> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
>> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
>> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
>> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
>> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
>> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
>> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
>> 2B4ctBkGRo9B6CFraWR9I8TT
>>> !
>>> yngaSGcNLmg4%3D
>>> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] ) 0 chars
>>> parsed., referer:
>>> 
>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
>> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
>> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
>> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
>> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
>> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
>> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
>> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
>> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
>> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
>> 2B4ctBkGRo9B6CFraWR9I8TTyngaSGcNLmg4%3D
>>> [Mon Apr 22 15:02:58 2013] [error] [client 129.177.118.128] t2b6d08a85770
>>> zxidmeta.c:292 zxid_get_ent_file \tzx E ***** Parsing metadata failed for
>>> sha1_name(OKCy5mMaXMJUnKQ1wVJCcT00AA8), referer:
>>> 
>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=f
>> ZJLT8MwEIT%2FiuV74jblIVlNUGkLCoJSCOJ1qRzHaQyJbbybUvj1JJFA4tLLHmbXmvlGnoLjsxYr
>> c68%2BWgVI9k1tgIOLaesNtwI0cCMaBRwlz2Y31zwKR9x5i1bampJF90gbgdqamFaIDjhjdR5gp4e
>> 5lBC2Og%2BNZaAbVysQTc36ETFdOJZlt5nyOy1V6CpHSbqI6erq4%2B5lOyk373v3dHIZibIJNq54
>> 69cArUoNoDAY02g0ngSjoyCKHsYTPor48ekrJWtvd7pQftWFjunrc7og0ppSb1s%2FpCSrdL7crGY
>> 3S04yhQQrDQQtKRRIr3NFvmzrCWhUvVq1jTBAyaPyMCB29DSZguBDFv%2FblzjclwBQvnenyaGOym
>> 0ese%2F9oMutPrPx%2BZT9eXW2jvdY6WJtay2%2FyKyu7efcK4Ed6piSC%2BsbgYej9IougnI45a7
>> nAlQGKUs6r%2F%2B%2FIfkB&SigAlg=http://www.w3.org/2000/09/xmldsig%23rsa-sha1&S
>> ignature=Ise%2B%2BYA16UphB2sIeZCds3BnmpnaPqCmde5YAsOwXHbYCxC9qnipsk%2FqYH2PWh
>> EDAUsC9C2ir8uiU7RMvTcnGbPaLCWsF2eZsaFxYfoKxbouhnsbP4Ae5%2FVrf4LkAPZTZrAZyDcx%
>> 2B4ctBkGRo9B6CFraWR9I8
>>> !
>>> TTyngaSGcNLmg4%3D
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> <?xml version="1.0"?>
>>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; entityID="
>>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/metadata.php";>
>>> <md:IDPSSODescriptor
>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>>   <md:KeyDescriptor use="signing">
>>>     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>>       <ds:X509Data>
>>> 
>>> 
>> <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
>> 1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
>> dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
>> AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
>> TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
>> FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
>> R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
>> BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
>> Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
>> Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
>> tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
>> K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
>>>       </ds:X509Data>
>>>     </ds:KeyInfo>
>>>   </md:KeyDescriptor>
>>>   <md:KeyDescriptor use="encryption">
>>>     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>>>       <ds:X509Data>
>>> 
>>> 
>> <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA
>> 1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEw
>> dVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXN
>> AdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJO
>> TzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FV
>> FQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZX
>> R0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupi
>> BOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRj
>> Zq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGS
>> Ib3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63C
>> tZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFV
>> K2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
>>>       </ds:X509Data>
>>>     </ds:KeyInfo>
>>>   </md:KeyDescriptor>
>>>   <md:SingleLogoutService
>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
>>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SingleLogoutService.php
>>> "/>
>>> 
>>> 
>> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:Name
>> IDFormat>
>>>   <md:SingleSignOnService
>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
>>> https://lb-test.bccs.uib.no/simplesaml/saml2/idp/SSOService.php"/>
>>> </md:IDPSSODescriptor>
>>> <md:ContactPerson contactType="technical">
>>>   <md:SurName>Administrator</md:SurName>
>>>   <md:EmailAddress>trouble@xxxxxxxxxxx</md:EmailAddress>
>>> </md:ContactPerson>
>>> </md:EntityDescriptor>
>>> 
>>> 
>> 
>> 
>> --
>> 
>> ___________________________________
>> IDMWORKS
>> Aaron Anderson
>> Calgary, AB, Canada****
>> 
>> Office: 888-687-0436
>> Cell: 403-701-2846
>> www.idmworks.com ****
>> 
>> aaron.anderson@xxxxxxxxxxxx
>> Blog: www.idmworks.com/blog