[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metadata parse problem BADMD - chars_parsed(0)



Michael Dondrup <michael.dondrup@xxxxxx> said:
> thank you very much for your responses. I have been debugging for some time, 
> also following your suggestions . Please see my responses inline.
> 
> Hope you can guide me further.
> 
> Best
> Michael
> 
> On Apr 22, 2013, at 8:05 PM, sampo@xxxxxxxxx wrote:
> > Version and platform info, please. See more inline.
> 
> zxid 1.11 compiled from source. We updated from a previous version 1.01 installed via CPAN.

Did the previous version work? (There should not be much difference
between those versions and no need to install previous version
if you have not already done so, but if you had it working with
this IdP then that would be useful datapoint.)

> Output of version_string:  1.11 1352851694 libzxid (zxid.org)
> 
> (make samlmod; make samlmod_install) on 
> a relatively old CentOS 5.4:
> [m@test-fe cot]$ uname -a
> Linux test-fe.bccs.uib.no 2.6.18-274.12.1.el5xen #1 SMP Tue Nov 29 14:18:21 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
> Perl:
> This is perl, v5.8.8 built for x86_64-linux-thread-multi
> Apache/2.2.3 (CentOS) Server at lb-test.bccs.uib.no Port 443 with running with mod_fcgid enabled.
> simplesamlphp (1.10.0) with php5.3.3, SAML 2 IdP enabled (shib 1.3 disabled) using the test certificates.
> 
> > 
> > Aaron Anderson <aaron.anderson@xxxxxxxxxxxx> said:
> >> I've only just started using ZXID but I'll see if I can help. What's
> >> unclear to me is where the error is occurring. From the debug output it's
> >> not able to find the entity descriptor but the referrer is the SAML
> >> request. Does this mean the IDP already authenticated you? Is it having
> >> problems parsing the entity ID from the SAML response?
> > 
> > You are trying to run Net::SAML as SP towards simplesamlphp IdP. For
> > the SP to contact the IdP it must understand the IdP's metadata. Thus
> > I believe it never went to the IdP and user was not authenticated.
> 
> The IdP has the registered the metadata of the Net::SAML SP. After choosing an IdP
> in the SP, the browser is redirected to the IdP login page. After login, IdP redirects to
> Net::SAML SP. But the SP script shows: No session, user not logged in. Checking via
> th IdP admin interface, however, shows that the user is logged in at the IdP and also with other 
> applications using the IdP. Subsequent login attempts viaNet::SAML SP redirect directly back to
> the SP without having to enter credentials, but according to SP there is no session.
> 

Ok so user is logged in at IdP, but the SAML SSO step fails. This
should be relatively easily debuggable problem. All you have to
do is simulate the CGI input and run the script from command line (or
even under debugger like gdb).

1. You seem to have enabled debugging so that /var/zxid/log/xml.dbg
   should have been created. Fish out of that file the input that
   was submitted to your script when redirection (or POST if you
   are using post profile) happened and save it as a separate file.

2. Set environment variables as they were when calling your script.
   Typically you need to set

   export QUERY_STRING='o=P'
   export CONTENT_LENGTH=1234   # The size of the file where you saved input

3. perl yourscript.pl <input-file

This should allow you to reproduce the problem at will.

If you are handy with gdb, you could do this

gdb perl
b zxid_simple_cf_ses   # a function inside libzxid
Function "zxid_simple_cf_ses" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (zxid_simple_cf_ses) pending.
set env QUERY_STRING=o=P
set env CONTENT_LENGTH=1234   # The size of the file where you saved input
r yourscript.pl <input-file

Even if you are not familiar with gdb, you can get some
idea of what the program is doing by running

strace -e open perl yourscript.pl <input-file

which should allow you to see in action where it is finding
the metadata file.

The fact that zxcot listing worked means that the metadata was
correctly parsed (i.e. it does not have any error that prevents
it from being parsed). Thus I continue to hold the theory
that somehow it is not looking for the metadata in the
same place as you think it is (and zxcot is looking).

Quick glance at your code, on line 21 you have

  my $conf = "URL=$url&";

To me it seems the ampersand after the URL is superfluous. Can you try
removing it to see if it makes any difference?

If above hints fail to solve the problem, you need to give me a reproducible
test case: tar gz your script and your /var/zxid directory, including the
xml.dbg file, so I can try to reproduce your problem on my machine.
Please do not mail the tgz on mailing list, but directly to me.

Cheers,
--Sampo