[cas-dev] CAS 3.1-M1 SAMLException
Marvin Addison
serac at vt.edu
Wed Feb 7 15:01:37 EST 2007
Scott,
I have done several successful authentication/service redirects, as well
as several unsuccessful ones that all fail in the same way. The only
difference I can tell is that SAMLArt parameters containing + characters
are problematic. Some test data:
Failed:
AAKfDN+4yGR0XRm6jY+dz7ViPUhA+Gh0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AAKNJ4yC+bx4mM/lz55ECTRwUVIdpGh0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AAIYG64MrQ2+793pMM8J0sRjXf6uG2h0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AALM4n7XSKMpsEsEKaC+7xV4AKDDAmh0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
Succeeded:
AAJcOIMpspJO9SYVyAHXNMgiud2il2h0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AALmOgt59Gyf88dI1LX09eYvxaKyl2h0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AAKbL8ZXLHjAn7jhsV1y/2CtVerHTmh0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
AAJOOhedOCWgWVcgk5LfsQKVwFAgE2h0dHBzOi8vbG9jYWxob3N0Ojg0NDM=
The tests above represent 8 straight runs, so 50% failure. In all
failure cases, the + characters become spaces when Saml10TicketValidator
parses the InResponseTo attribute of the SAML Response element at the
client. The SAXParserException in particular is thrown due to schema
validation errors since InResponseTo is a NCName, which can't contain
spaces:
The xsd:NCName simple type is used in SAML to reference identifiers of
type xsd:ID
Any ideas what's going on here?
Thanks,
Marvin
More information about the cas-dev
mailing list