Invalid char value
253 views
Skip to first unread message
Akozimany
Sep 13, 2021, 4:45:27 PM9/13/21
to SimpleSAMLphp
I need help to identify a solution for the below error with simpleSAML for a metrics application called xdmod.
SimpleSAML_Error: UNHANDLEDEXCEPTION
Backtrace
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SAML2\Exception\UnparseableXmlException: Unable to parse XML - "FATAL[9]": "PCDATA invalid char value 1"
in "(string)" at line 9 on column 12694"
Backtrace:
3 /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php:45 (SAML2\DOMDocumentFactory::fromString)
2 /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:73 (SAML2\HTTPPost::receive)
1 modules/saml/www/sp/saml2-acs.php:31 (require)
0 www/module.php:135 (N/A)
Regards
Ak
Tim van Dijen
Sep 14, 2021, 7:39:17 AM9/14/21
to SimpleSAMLphp
Hi
Akozimany!
It seems you have configured Xdmod / SimpleSAMLphp correctly, but the identity provider you're authenticating against is delivering something to the 'saml2-acs.php' endpoint that is not valid XML.
The easiest thing to do here is to install the SAMLtracer plugin for Firefox/Chrome and see what the IDP is actually delivering to this endpoint.. You can also export the trace and share it with us.
P.S.: from the traceback in your message I can tell you are running a seemingly really old version of SimpleSAMLphp (I'm guessing v1.16 ?)..
P.S.: from the traceback in your message I can tell you are running a seemingly really old version of SimpleSAMLphp (I'm guessing v1.16 ?)..
Lot's has changed over the years, so I'd strongly advice to use the latest version! Perhaps this issue has already been fixed years ago
- Tim
Op maandag 13 september 2021 om 22:45:27 UTC+2 schreef Akozimany:
Akozimany
Sep 14, 2021, 8:30:22 AM9/14/21
to SimpleSAMLphp
Thank you so much Tim. I think that explains a lot.
Will proceed to upgrade the version and see, but prior to that, I will install the SAMLtracer plugin on the browser and see what the IDP is actually delivering.
Ak
Ak
Akozimany
Sep 14, 2021, 10:13:51 AM9/14/21
to SimpleSAMLphp
Tim,
Is the Active Directory Federation Service (ADFS) supposed to be enabled on the IDP (AD server) ?
Thanks,
Ak
Peter Schober
Sep 14, 2021, 10:46:17 AM9/14/21
to SimpleSAMLphp
* Akozimany <ako...@gmail.com> [2021-09-14 16:13]:
as a SAML 2.0 IDP, though, AFAIK.
So if you wanted use it as a SAML 2.0 IDP you'd have to activate the
SAML 2.0 IDP features, I suppose.
But how would your SimpleSAMphp even receive any kind of request
(illegal or otherwise) from a non-SAML-enabled MS-AD system?
So I'm not sure the above is actually your problem.
-peter
> Is the Active Directory Federation Service (ADFS) supposed to be
> enabled on the IDP (AD server) ?
MS-AD is not a SAML 2.0 IDP. With additional software MS-ADFS can act
> enabled on the IDP (AD server) ?
as a SAML 2.0 IDP, though, AFAIK.
So if you wanted use it as a SAML 2.0 IDP you'd have to activate the
SAML 2.0 IDP features, I suppose.
But how would your SimpleSAMphp even receive any kind of request
(illegal or otherwise) from a non-SAML-enabled MS-AD system?
So I'm not sure the above is actually your problem.
-peter
Tim van Dijen
Sep 14, 2021, 12:11:23 PM9/14/21
to SimpleSAMLphp
Yes, without it it's not an IDP (merely a domain controller)..
But since you're receiving a response, I expect it to be already installed.
But since you're receiving a response, I expect it to be already installed.
Happy to see your SAMLtrace.. Maybe we can figure out what the problem is..
- Tim
Op dinsdag 14 september 2021 om 16:13:51 UTC+2 schreef Akozimany:
Akozimany
Sep 14, 2021, 5:44:58 PM9/14/21
to SimpleSAMLphp
Thanks for all the feed back. Will have to type my SAML trace by hand.
Please bear in mind that "
server.example.com" is a place holder for the actual server. This the expansion of the last POST message prior to failure with the original error.
Not sure what to think of it, but it was green
See below for the details for: POST https://server.example.com/simplesaml/module.php/core/loginuserpass.php?
HTTP
Host: server.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 FireFox/78.0
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*; q=0.8
Accept-Language: en-US, en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 512
Origin: server.example.com
Cookie: language=en; PHPSESSID=2b...........bs3; xdmod_token=public-1631........478; SimpleSAML=c8a8..........7a1; SimpleSAMLAuthToken=_421............9037
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 14 Sep 2021 21:11:46 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/5.4.16
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-chec=0, pre-check=0
Pragma: no-cache
Set-Cookie: SimpleSAML=c8a8........7a1; path=/; Httponly
SimpleSAMLAuthToken=_309e...........7214; path=/; httponly
Keep-Alive: timeout=5; max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; Charset=UTF-8
Your thoughts.
Ak
Peter Schober
Sep 14, 2021, 5:50:43 PM9/14/21
to SimpleSAMLphp
* Akozimany <ako...@gmail.com> [2021-09-14 23:45]:
the point of the excercise was not to look at some random selection of
HTTP Request and Reponse Headers but to look at the SAML protocol
message in there, specifically the SAML Assertion within the SAML
Response.
SAML-tracer makes those obvious by highlighting relevant lines with an
orange "saml" icon and also decodes the SAML to it's fully and easily
legible right in your browser.
Of course you don't have to use those features or post anything here
at all. You could look at it yourself. It's only when you can't make
sense of it (and you don't have anyone else to help you) that the very
small open source community here offers to take look at your stuff in
order to help you fix your problem.
To the extent that that doesn't happen there's not much else we could do.
-peter
> Thanks for all the feed back. Will have to type my SAML trace by
> hand.
I don't understand what that means ("type my SAML trace by hand") but
> hand.
the point of the excercise was not to look at some random selection of
HTTP Request and Reponse Headers but to look at the SAML protocol
message in there, specifically the SAML Assertion within the SAML
Response.
SAML-tracer makes those obvious by highlighting relevant lines with an
orange "saml" icon and also decodes the SAML to it's fully and easily
legible right in your browser.
Of course you don't have to use those features or post anything here
at all. You could look at it yourself. It's only when you can't make
sense of it (and you don't have anyone else to help you) that the very
small open source community here offers to take look at your stuff in
order to help you fix your problem.
To the extent that that doesn't happen there's not much else we could do.
-peter
Akozimany
Sep 14, 2021, 6:17:47 PM9/14/21
to SimpleSAMLphp
I see what you mean now. Still can't make much of it yet, so I will share:
SAML
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_0794...............................................................33f6"
Version="2.0"
IssueInstant="2021-09-14T21:58:51Z"
AssertionConsumerServiceURL="https://server.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/xdmod-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://server.example.com/simplesaml/module.php/saml/sp/metadata.php/xdmod-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AlowCreate="true"
/>
</samlp:AuthnRequest>
Your thoughts.
Ak
Peter Schober
Sep 14, 2021, 6:34:42 PM9/14/21
to SimpleSAMLphp
* Akozimany <ako...@gmail.com> [2021-09-15 00:17]:
-peter
> I see what you mean now. Still can't make much of it yet, so I will share:
You need to find and look at the SAML *Reponse*, not the SAML (Authn)*Request*.
-peter
Akozimany
Sep 15, 2021, 11:10:49 AM9/15/21
to SimpleSAMLphp
Good day Peter,
I think that may be my issue and not sure what to verify. I do not a SAML response in the SAML-tracer.
Any ideas?
Regards,
Ak
Peter Schober
Sep 15, 2021, 12:00:06 PM9/15/21
to SimpleSAMLphp
* Akozimany <ako...@gmail.com> [2021-09-15 17:10]:
Assertion Consumer Service URL, if I'm reading the backtrace from your
exception right.
So that POST's content is what you're after.
-peter
> I think that may be my issue and not sure what to verify. I do not a SAML
> response in the SAML-tracer.
Well, whatever it is, something did an HTTP POST to your SAML SP's
> response in the SAML-tracer.
Assertion Consumer Service URL, if I'm reading the backtrace from your
exception right.
So that POST's content is what you're after.
-peter
Akozimany
Sep 15, 2021, 2:43:54 PM9/15/21
to SimpleSAMLphp
That was the only POST trace that I posted initially. See below:
Akozimany
unread,Sep 14, 2021, 5:44:58 PM (21 hours ago)
to SimpleSAMLphp
Thanks for all the feed back. Will have to type my SAML trace by hand.
Peter Schober
Sep 15, 2021, 6:04:33 PM9/15/21
to SimpleSAMLphp
* Akozimany <ako...@gmail.com> [2021-09-15 20:44]:
It may have been the only HTTP POST you managed to capture but that
does *not* match your orignal error report which was about an HTTP
POST to the SP's Assertion Consumer Service URL, as I keep repeating:
* Akozimany <ako...@gmail.com> [2021-09-13 22:45]:
But of course I may be misreading that.
Either way, the devlopers can confirm.
-peter.
> That was the only POST trace that I posted initially. See below:
>
> POST https://server.example.com/simplesaml/module.php/core/loginuserpass.php
>
It may have been the only HTTP POST you managed to capture but that
does *not* match your orignal error report which was about an HTTP
POST to the SP's Assertion Consumer Service URL, as I keep repeating:
* Akozimany <ako...@gmail.com> [2021-09-13 22:45]:
> Backtrace
> 1 www/_include.php:17 (SimpleSAML_exception_handler)
> 0 [builtin] (N/A)
> Caused by: SAML2\Exception\UnparseableXmlException: Unable to parse XML -
> "FATAL[9]": "PCDATA invalid char value 1"
> in "(string)" at line 9 on column 12694"
> Backtrace:
> 3
> /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php:45
> (SAML2\DOMDocumentFactory::fromString)
> 2 /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:73
> (SAML2\HTTPPost::receive)
> 1 modules/saml/www/sp/saml2-acs.php:31 (require)
> 0 www/module.php:135 (N/A)
Note modules/saml/www/sp/saml2-acs.php and SAML2\HTTPPost::receive
> 1 www/_include.php:17 (SimpleSAML_exception_handler)
> 0 [builtin] (N/A)
> Caused by: SAML2\Exception\UnparseableXmlException: Unable to parse XML -
> "FATAL[9]": "PCDATA invalid char value 1"
> in "(string)" at line 9 on column 12694"
> Backtrace:
> 3
> /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php:45
> (SAML2\DOMDocumentFactory::fromString)
> 2 /usr/share/xdmod/vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:73
> (SAML2\HTTPPost::receive)
> 1 modules/saml/www/sp/saml2-acs.php:31 (require)
> 0 www/module.php:135 (N/A)
But of course I may be misreading that.
Either way, the devlopers can confirm.
-peter.
Reply all
Reply to author
Forward
0 new messages