Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Problem Validating an Assertion

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Problem Validating an Assertion


Chronological Thread 
  • From: Suneet Shah <>
  • To:
  • Subject: Re: [OpenSAML] Problem Validating an Assertion
  • Date: Mon, 01 Mar 2010 11:55:45 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=eyMUHgIFJDnR05oZ82CS9/CsINgI8Qp4wFk1PbYj81Viznq73Q+Ko0Q3FymYHanbsz X4s92ue7bpUv+x/DE28A/j3uoTkSM952rmPhz/u+ENX1AeU1eVOM/VyAdA0OAjlLiFbx LvYN7DWxWNShLIZFkzyIpIS/CqNjytaKIA9Y4=

Hello:

thanks for the feedback. I am a bit uncertain as to what is causing the parsing error. I have pasted below:

- Response form the operation that gives me the assertion
- Request that is sent to the service that will validate the assertion.
- Exception that is generated.

Any guidance would be appreciated.

Thanks

Response for operation the return the saml assertion

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Body>
<ns1:passwordAuthResponse xmlns:ns1="http://service.auth.srvc.idm.openiam.org/";>
<return xmlns:ns2="urn:idm.openiam.org/srvc/role/dto" xmlns:ns3="urn:idm.openiam.org/srvc/grp/dto">
<readOnly>false</readOnly>
<expirationTime>0</expirationTime>
<resultCode>1</resultCode>
<daysToPwdExp>0</daysToPwdExp>
<domainId>USR_SEC_DOMAIN</domainId>
<ssoToken>
<token><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="dac76315c815492a9a55afbecac647ec" IssueInstant="2010-03-01T16:44:29.701Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>openiam</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="openiam">snelson</saml2:NameID></saml2:Subject><saml2:Conditions NotBefore="2010-03-01T16:44:29.701Z" NotOnOrAfter="2010-03-01T17:14:30.283Z"/><saml2:AuthnStatement AuthnInstant="2010-03-01T16:44:29.701Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>]]></token>
<maxIdleTime>0</maxIdleTime>
<expirationTime>2010-03-01T12:14:30.283-05:00</expirationTime>
</ssoToken>



Request that is sent to the validation operation

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ser="http://service.auth.srvc.idm.openiam.org/";>
<soapenv:Header/>
<soapenv:Body>
<ser:validateToken>
<principal>snelson</principal>
<token><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="dac76315c815492a9a55afbecac647ec" IssueInstant="2010-03-01T16:44:29.701Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>openiam</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="openiam">snelson</saml2:NameID></saml2:Subject><saml2:Conditions NotBefore="2010-03-01T16:44:29.701Z" NotOnOrAfter="2010-03-01T17:14:30.283Z"/><saml2:AuthnStatement AuthnInstant="2010-03-01T16:44:29.701Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>]]></token>
<tokenType>SAML2_TOKEN</tokenType>
</ser:validateToken>
</soapenv:Body>
</soapenv:Envelope>

Exception:

SEVERE: XML Parsing Error
org.xml.sax.SAXParseException: Content is not allowed in prolog.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Un
known Source)
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)

at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispat
ch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Un
known Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(Bas
icParserPool.java:637)
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:231
)


Brent Putman wrote:


On 3/1/2010 1:07 AM, Sidhartha Priye wrote:
Suneet,

I may be wrong but this does not look right to me

<saml2:NameID Format="NameIdentifierType" NameQualifier="openiam">3006</saml2:NameID>

I am not sure if NameID Format can be any string. The experts here can speak to it. I know there are well defined formats you can choose from. For e.g.



Yes, that value is illegal - the NameID Format is defined in the schema as an xs:anyURI and the SAML spec further states that it is required to be an absolute URI (rather than relative). However, OpenSAML just uses a String to represent most/all xs:anyURI's (mostly for the sake of simplicity of API), and it would be "accepted" by OpenSAML when unmarshalling the SAML structure. This is definitely not causing the original poster's error, as I mentioned in my earlier note, it's a more general XML parsing issue.

--Brent




Archive powered by MHonArc 2.6.16.

Top of Page