[Shib-Users] xmltooling::IOException, URL is malformed

98 views
Skip to first unread message

Jason Rosenfeld

unread,
Jan 26, 2010, 4:00:57 PM1/26/10
to shibbole...@internet2.edu
Hello,

I work for a new Shibboleth Service Provider called Zimride Inc. We
are running a Debian Linux system and have installed a stable
prepackaged build of Shibboleth SP 2.0. We have joined the InCommon
Federation and gone live with two different Identity Providers, one of
which is the University of Maryland at College Park, who is running
Shibboleth IP 1.3. We have found that approximately 10% of our users
are encountering a Shibboleth error that we cannot reproduce. Based
on Apache access logs, it is occurring for these users about 10-20
seconds after they have successfully established a session via
Shibboleth. They hit our site, we bounce them to UMD, we hear back
from UMD, we establish a session for them and successfully parse their
attributes, and then after 10-20 seconds and presumably following some
user action we have not yet determined a Shibboleth error is thrown.
We have turned logging way up in all of the Shibboleth files and so
far as we can tell everything in the native.log, shibd.log, and
transaction.log looks normal (and identical to sessions established
that do not result in this error), which makes sense since the session
is successfully established. The error that we are are getting is
shown below, if anyone has encountered this problem before and can
provide us with additional information that would be greatly
appreciated:

requestURL: https://www.zimride.com/Shibboleth.sso/SAML/POST
errorType: xmltooling::IOException
errorText: URL is malformed.

From looking at the source code, it appears as though this error is
thrown when XMLTooling is trying to parse a URL that does not have a
colon in it, but we are not told what URL is missing the colon, which
is making it very difficult to debug.

If you need to see our log files or other information please let me
know what to send along, but as we cannot reproduce this error
ourselves, it is slightly difficult to get a 100% clean set of logs.

Thanks a lot.

Jason Rosenfeld
ja...@zimride.com

Steve Thorpe

unread,
Jan 26, 2010, 4:16:29 PM1/26/10
to shibbole...@internet2.edu
Hi Jason,

/var/log/shibboleth/shibd.log on the SP side may possibly tell you
something.

I recently encountered a similar XMLTooling error message in the
brosser, and couldn't find much by googling for the error message. In
shibd.log on the SP I also found messages like this:

2010-01-22 16:15:02 WARN OpenSAML.MessageDecoder.SAML2 [2]: no
metadata found, can't establish identity of issuer
(https://shib.someorg.com/idp/shibboleth)
2010-01-22 16:15:02 WARN Shibboleth.SSO.SAML2 [2]: no metadata
found, can't establish identity of issuer
(https://shib.someorg.com/idp/shibboleth)

The solution in my case was editing the DefaultRelying party in the
IdP's /etc/shibboleth-idp/relying-party.xml from the "new style" back to
the "old style" that's actually published in the InCommon metadata
entityId for this IdP:

Instead of:
<!-- DefaultRelyingParty
provider="https://shib.someorg.com/idp/shibboleth" -->

I needed to use this form in the relying-party.xml:
<DefaultRelyingParty provider="urn:mace:incommon:someorg.com"


That worked for me because the IdP in question's EntityID was published
using the previously recommended format instead of the new style.
Thanks to Duke University's Shilen Patel for cluing me in to that. In
your case you are probably using the new style so I am guessing its not
the exact same problem. However, maybe this gives a clue as to an area
you might check.

Good luck with it,

Steve

--
Steve Thorpe
Systems Programmer/Analyst, MCNC
Email: tho...@mcnc.org
Office: 919-248-1161
Mobile: 919-724-9654
Skype/AIM: thorpe682

Connecting North Carolina's Future Today

Scott Cantor

unread,
Jan 26, 2010, 4:37:40 PM1/26/10
to shibbole...@internet2.edu
Jason Rosenfeld wrote on 2010-01-26:
> I work for a new Shibboleth Service Provider called Zimride Inc. We are
> running a Debian Linux system and have installed a stable prepackaged
> build of Shibboleth SP 2.0.

2.0 is very out of date and unsupported. It includes many bugs, some
involving the use of non-ASCII characters in specific spots that result in
that error. Whether that's the cause in this case is debateable, but it's
moot. Errors of that complexity don't get looked at unless the version
running is supported.

Debian is not a supported platform, but there are packages in various states
that supply updated versions, though usually not 100% current or especially
timely, though that's more to do with the huge number of security fixes this
past year.

-- Scott


Kristof BAJNOK

unread,
Jan 27, 2010, 4:03:57 AM1/27/10
to shibbole...@internet2.edu
On Tuesday 26 January 2010 22.37.40 Scott Cantor wrote:
> > I work for a new Shibboleth Service Provider called Zimride Inc. We
> > are running a Debian Linux system and have installed a stable
> > prepackaged build of Shibboleth SP 2.0.
>
> 2.0 is very out of date and unsupported.

Yes, you should use the backports.org version of the package (2.3 at the
moment). Sadly enough, even our metadata can not be loaded with 2.0.

Kristof

Jason Rosenfeld

unread,
Jan 28, 2010, 10:04:33 PM1/28/10
to shibbole...@internet2.edu
Thanks a bunch to those that replied.

We upgraded from SP 2.0 to the backports.org version of 2.3 and that
fixed the problems we were seeing.

Jason

Reply all
Reply to author
Forward
0 new messages