Shibboleth IdP and Novell Access Manager
Bart Ophelders
Hello,
We are trying to set up a test environment where we want to connect our Shibboleth IdP to the Novell Access Manager Identity Server (configured as a Service Provider).
According to de documentation on http://www.novell.com/communities/node/6943/integrating-novells-access-manager-shibboleths-idp-server it should be possible?
The problem occurs when the Novell Identity Server sends the authentication request to our IdP. It responds with “Error decoding authentication request message”
The SAML Authentication request is as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://idp.example.com/idp/profile/SAML2/Redirect/SSO" ForceAuthn="false" ID="idX32Qk7WH2TJ4moRICxU50pRwMwY" IsPassive="false" IssueInstant="2011-11-25T09:16:06Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Version="2.0"><saml:Issuer>https://sp.example.com:8443/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><CanonicalizationMethod x mlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmlds
ig#rsa-sha1"/><ds:Reference URI="#idX32Qk7WH2TJ4moRICxU50pRwMwY"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><
DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">ibYa0NxkDvOTTsH27aqjYIkT4cE=</DigestValue></ds:Reference></ds:SignedInfo><SignatureValue xmlns="http:/ /www.w3.org/2000/09/xmldsig#">
fMnmxWdwldCfTAZRxVVZ5O9jYYymFvMlizOhTc3COQy6MFSPrOzYHR+LH4MpHmRCIxkXbMYR
fMnmxWdwldCfTAZRxVVZ5O9jYYymFvMlizOhTc3COQy6MFSPrOzYHR+k8wb
JkLw7qwTk5Alcoiatlyi/9f2IihxWdKcV1lMTeACK+crJ66HSCv9Q4bnCfpA3PkPWx3SRtT9QNrN
M74X96nH9rnZD3eVSJpr3nxEv7JH4oEwG1GlK59AjP5gyUsrcoMQNTjLyUo3zp7iIpN4c/78HF68
4MYMZRv4JhcbMU0O8vtNG9zKrSiCD2h3WdiTqa5B71mehehppURB0ireARaPMXRO7wzImUpQOhsw
dcDpFl3S3+uMiVq0Y9D1kg1T89yoDM3mOJLZaw==
</SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>
MIIFFzCCA/+gAwIBAgIkAhwR/6UpNm9pDtA+9feHGMmx/XRasrfbFjieU0wTAgIEQxODMA0GCSqG
SIb3DQEBBQUAMDYxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMRgwFgYDVQQKFA9pc21fYW1f
…
iMAesTP7hObcH6K/wFcEVWFOaXhQ3tfroln3FwtNkb76HgPXiW+z+ZsNwXLWTCPxxTT1onBS9D6S
NpDtYrC2fZHSccSbjIiCT+0xxSCeujI+njbCt5Yg5ohDdL3pWNGR4RCcoZwZIj4l25xsAjc=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
And the idp-process log file contains:
10:16:03.729 - INFO [Shibboleth-Access:74] - - 20111125T091603Z| |idp.example.com:443|/profile/SAML2/Redirect/SSO|
10:16:03.730 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
10:16:03.730 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
10:16:03.730 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:323] - - LoginContext key cookie was not present in request
10:16:03.730 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:160] - - Incoming request does not contain a login context, processing as first leg of request
10:16:03.730 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:312] - - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
10:16:03.731 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76] - - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
10:16:03.734 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - - Decoded RelayState: MA==
10:16:03.734 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - - Base64 decoding and inflating SAML message
10:16:03.735 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - - Parsing message stream into DOM document
10:16:03.736 - ERROR [org.opensaml.ws.message.decoder.BaseMessageDecoder:208] - - Encountered error parsing message into its DOM representation
org.opensaml.xml.parse.XMLParserException: Unable to read XML from input stream
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:221) ~[xmltooling-1.3.3.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDecoder.java:186) [openws-1.4.3.jar:na]
at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:102) [opensaml-2.5.2.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) [openws-1.4.3.jar:na]
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) [opensaml-2.5.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:332) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:190) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:161) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:88) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:84) [shibboleth-common-1.3.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.29.jar:na]
…
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.29.jar:6.0.29]
at java.lang.Thread.run(Thread.java:636) [na:1.6.0_17]
Caused by: java.util.zip.ZipException: invalid code lengths set
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) ~[na:1.6.0_17]
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:122) ~[na:1.6.0_17]
at org.apache.xerces.impl.XMLEntityManager$RewindableInputStream.read(Unknown Source) ~[na:na]
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) ~[na:na]
at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) ~[na:na]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) ~[na:na]
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source) ~[na:1.3.04]
at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:672) ~[xmltooling-1.3.3.jar:na]
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:216) ~[xmltooling-1.3.3.jar:na]
... 38 common frames omitted
10:16:03.739 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:344] - - Error decoding authentication request message
org.opensaml.ws.message.decoder.MessageDecodingException: Encountered error parsing message into its DOM representation
at org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDecoder.java:209) ~[openws-1.4.3.jar:na]
at org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:102) ~[opensaml-2.5.2.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[openws-1.4.3.jar:na]
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.5.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.decodeRequest(SSOProfileHandler.java:332) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.performAuthentication(SSOProfileHandler.java:190) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:161) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:88) [shibboleth-identityprovider-2.3.4.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:84) [shibboleth-common-1.3.4.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.29.jar:na]
…
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) [tomcat-coyote-6.0.29.jar:6.0.29]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.29.jar:6.0.29]
at java.lang.Thread.run(Thread.java:636) [na:1.6.0_17]
Caused by: org.opensaml.xml.parse.XMLParserException: Unable to read XML from input stream
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:221) ~[xmltooling-1.3.3.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.unmarshallMessage(BaseMessageDecoder.java:186) ~[openws-1.4.3.jar:na]
... 37 common frames omitted
Caused by: java.util.zip.ZipException: invalid code lengths set
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) ~[na:1.6.0_17]
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:122) ~[na:1.6.0_17]
at org.apache.xerces.impl.XMLEntityManager$RewindableInputStream.read(Unknown Source) ~[na:na]
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) ~[na:na]
at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[na:na]
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) ~[na:na]
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) ~[na:na]
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source) ~[na:1.3.04]
at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:672) ~[xmltooling-1.3.3.jar:na]
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:216) ~[xmltooling-1.3.3.jar:na]
... 38 common frames omitted
Maybe this does ring a bell for someone?
Does the authentication request look wrong in any way?
Any thoughts or pointers are very much welcome!
Kind regards,
Bart
Chad La Joie
base64encode(deflate(saml_message)) and then reversed,
inflate(base64decode(redirect_message)), when it gets to the IdP. The
error message states that that process is failing. So either the
deflating or the encoding must have been done improperly.
How did you get the XML you posted?
On Mon, Nov 28, 2011 at 05:03, Bart Ophelders
<Bart.Op...@icts.kuleuven.be> wrote:
> We are trying to set up a test environment where we want to connect our
> Shibboleth IdP to the Novell Access Manager Identity Server (configured as a
> Service Provider).
>
> According to de documentation on
> http://www.novell.com/communities/node/6943/integrating-novells-access-manager-shibboleths-idp-server
> it should be possible?
>
> The problem occurs when the Novell Identity Server sends the authentication
> request to our IdP. It responds with “Error decoding authentication request
> message”
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Bart Ophelders
Thanks for the answer!
I captured the headers and base64 decoded the SAMLRequest...
Bart
Chad La Joie
- Whatever you used to inflate/decode the message is more tolerant
than something in the libraries we use.
- Something in the XML is causing Xerces to do something different
with the input stream than we've seen with any other message.
The first seems more likely to me. You can test it by writing a bit
of code using the org.opensaml.xml.util.Base64 to do the decode and
then the java.util.zip.InflaterInputStream to do the inflating and
seeing what happens.
On Mon, Nov 28, 2011 at 08:34, Bart Ophelders
<Bart.Op...@icts.kuleuven.be> wrote:
> Hi Chad,
>
> Thanks for the answer!
> I captured the headers and base64 decoded the SAMLRequest...
--
Cantor, Scott
wrote:
>Thanks for the answer!
>I captured the headers and base64 decoded the SAMLRequest...
What headers? If the message is a Redirect, the request is in the URL. It
can't be base64-decoded unless you inflate it. If it's a POST, the message
is in the form field.
If neither, then you have an invalid request. Perhaps you're sending a
POST to a Redirect endpoint or vice versa.
-- Scott
Bart Ophelders
to a Redirect endpoint or vice versa.
That was the problem.
The SAMLRequest was posted to the Redirect endpoint.
Thanks for your help!
Bart
-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On
Behalf Of Cantor, Scott
Sent: maandag 28 november 2011 15:34
To: us...@shibboleth.net
Subject: Re: Shibboleth IdP and Novell Access Manager