OpenSAML user discussion

["Gitesh Malik" <>]

Title: Welcome to the list

Another interesting point is that the assertion XML does *not* have any ID attribute in the nodes either. So it seems that possibly the schema is working on loose ‘like based validation’.

Thanks,

<gitesh/>

---

From: Gitesh Malik [mailto:]
Sent: Tuesday, December 05, 2006 10:01 PM
To:
Subject: Getting Exception: There are multiple occurrences of ID value

 

Hi,

 

I am working with opensaml-1.0 library. I am running into SAXparserException while assertion is being validated.

 

The exception message that I get is - There are multiple occurrences of ID value 'a7364b9f925e388541dac072cca6ab74'.

 

The erroneous assertion xml is –

 

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2006-12-04T07:11:40.140Z" MajorVersion="1" MinorVersion="1" Recipient="LiveCycle" ResponseID="a7364b9f925e388541dac072cca6ab74"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></ds:SignatureMethod>

<ds:Reference URI="#a7364b9f925e388541dac072cca6ab74">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default"></ec:InclusiveNamespaces></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

<ds:DigestValue>+/wCQtFMHw5cfSgPHQyNDAmcpI4=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>cA2XN1KgxuT7l4EN2vB/Oph7XGc=</ds:SignatureValue>

</ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="a7364b9f925e388541dac072cca6ab74" IssueInstant="2006-12-04T07:11:40.140Z" Issuer="LiveCycle" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2006-12-04T07:11:40.125Z" NotOnOrAfter="2006-12-04T07:16:40.125Z"></Conditions><AuthenticationStatement AuthenticationInstant="2006-12-04T07:11:40.125Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier NameQualifier="DefaultDom">administrator</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>

 

The exception raised over the assertion is –

 

ExceptionMessage:cvc-id.2: There are multiple occurrences of ID value 'a7364b9f925e388541dac072cca6ab74'. chainedException trace:org.xml.sax.SAXParseException: cvc-id.2: There are multiple occurrences of ID value 'a7364b9f925e388541dac072cca6ab74'.

            at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)

            at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)

            at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

            at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator.processOneAttribute(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator.processAttributes(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source)

            at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)

            at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)

            at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)

            at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)

            at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

            at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

            at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)

            at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)

            at org.opensaml.XML$ParserPool.parse(Unknown Source)

 

 

Now the ids in response assertion xml are automatically generated by the openSAML code. The ids are not passed from outside as params.

 

The following call to SAML library in the code creates the AssertionID within itself.

 

SAMLAssertion assertion = new SAMLAssertion(issuer, start, end, null, null, statements);

 

And ditto for Response xml.

 

This call takes in AssertionID in assertion xml but generates ResponseID on its own.

 

SAMLResponse  sResp =  new SAMLResponse(null, recipient, Arrays.asList(assertions), null);

 

Now in a normal run the 2 ids appear to be different as found out from debug session on my setup. However on some occasion the ids are set as same and it is at that time that this exception ensues. Also there seems to be no external way of setting up/configuring that saml library that might take care of this.

 

Any inputs/pointers on the same will be greatly appreciated.

 

Thanks,

 

<gitesh/>

---

---

From: [mailto:]
Sent: Tuesday, December 05, 2006 5:57 PM
To: Gitesh Malik
Subject: Welcome to the list mace-opensaml-users

 

Welcome to list .
Your subscription email is . Note that you will
need to post to the list from this email address.

List Description : 

List is for discussion among openSAML deployers and

programmers using openSAML

---

For further information and to modify your list preferences: https://mail.internet2.edu/wws/info/mace-opensaml-users