Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
506 views

IDS cann't parse saml request because uncompatible character


Hello everyone!

In this case I configered the ids as idp to handle saml2 request from
app(a workday system).
It showed that the IDS could not parse the reqeust string ,so failed to
deal the reqeust.
---------------------Error message
-------------------------------------------

<amLogEntry> 2013-09-12T10:07:03Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: http-10.135.7.82-8443-Processor13
****** HttpServletRequest Information:
Method: POST
Scheme: https
Context Path: /nidp
Servlet Path: /saml2
Query String: null
Path Info: /sso
Server Name: testids.haier.net
Server Port: 8443
Content Length: 2744
Content Type: application/x-www-form-urlencoded
Auth Type: null
Request URL: https://testids.haier.net:8443/nidp/saml2/sso
Host IP Address: 10.135.7.82
Remote Client IP Address: 192.168.110.150
Cookie: (0 of 2): JSESSIONID, D5064E579C7379C183DED2EA5CF34E8F
Cookie: (1 of 2): cid, fwAAAVIwLukaA71RA+imAg
Header: Name: accept, Value: image/jpeg, application/x-ms-application,
image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Header: Name: referer, Value:
https://wd5-impl.workday.com/haier1/fx/home.flex
Header: Name: accept-language, Value: zh-CN
Header: Name: user-agent, Value: Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Header: Name: content-type, Value: application/x-www-form-urlencoded
Header: Name: accept-encoding, Value: gzip, deflate
Header: Name: host, Value: testids.haier.net:8443
Header: Name: content-length, Value: 2744
Header: Name: connection, Value: Keep-Alive
Header: Name: cache-control, Value: no-cache
Header: Name: cookie, Value:
JSESSIONID=D5064E579C7379C183DED2EA5CF34E8F;
cid=fwAAAVIwLukaA71RA+imAg==
Session Id: D5064E579C7379C183DED2EA5CF34E8F
Session Last Accessed Time: 1378980182604
</amLogEntry>

<amLogEntry> 2013-09-12T10:07:03Z DEBUG NIDS Application: AM#600105011:
AMDEVICEID#5E859A1D4E299CBD: AMAUTHID#D5064E579C7379C183DED2EA5CF34E8F:
IDP saml2 handler to process request received for /nidp/saml2
</amLogEntry>

<amLogEntry> 2013-09-12T10:07:03Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: http-192.168.7.2-8443-Processor13

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@dbeb32
from cache session succeeded using key D5064E579C7379C183DED2EA5CF34E8F.
Cache size is 1
</amLogEntry>

<amLogEntry> 2013-09-12T10:07:03Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2013-09-12T10:07:03Z VERBOSE NIDS Application: Input param
url: /haier1/fx/home.flex :: web.xml param value to decode: false
</amLogEntry>

<amLogEntry> 2013-09-12T10:07:03Z DEBUG NIDS SAML2:
Method: SAML2Profile.traceMessage
Thread: http-192.168.7.2-8443-Processor13


************************* SAML2 POST message
********************************

Type: received
RelayState: /haier1/fx/home.flex
�Vے��}���p
���1�;����
�r���r�����陞�}v�>/��U�2s�����ե�K�0γ����^����8 �F�.N��_�_�A'M�9��(ӂk��>q�TǨ�
8G��n��k��A�՜&I�b�@�8a>z�� ho����`�"�o����8�ԟ8� ��CL�
�'$E�85���G
G�΁0n���ց���ɪ��b�e&�c���Q�u�1��eW�U�� g�
�2����<s�
************************* End SAML2 message
****************************
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character:
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 
Ignoring invalid XML character: 

<amLogEntry> 2013-09-12T10:07:03Z WARNING NIDS SAML2: Exception message:
"Content is not allowed in prolog."
y, Line: 2527, Method: A
y, Line: 2001, Method: parse
y, Line: 544, Method: documentFromString
y, Line: 2423, Method: handleInBoundMessage
y, Line: 3450, Method: processSSOEndpoint
y, Line: 2414, Method: A
y, Line: 433, Method: handleRequest
y, Line: 425, Method: handleRequest
y, Line: 3341, Method: myDoGet
y, Line: 1620, Method: doGet
y, Line: 1435, Method: doPost
HttpServlet.java, Line: 647, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 269, Method: internalDoFilter
ApplicationFilterChain.java, Line: 188, Method: doFilter
PortalFilter.java, Line: 65, Method: doFilter
ApplicationFilterChain.java, Line: 215, Method: internalDoFilter
ApplicationFilterChain.java, Line: 188, Method: doFilter
StandardWrapperValve.java, Line: 213, Method: invoke
StandardContextValve.java, Line: 172, Method: invoke
StandardHostValve.java, Line: 127, Method: invoke
ErrorReportValve.java, Line: 117, Method: invoke
y, Line: 671, Method: invoke
StandardEngineValve.java, Line: 108, Method: invoke
CoyoteAdapter.java, Line: 174, Method: service
Http11Processor.java, Line: 879, Method: process
Http11BaseProtocol.java, Line: 665, Method: processConnection
PoolTcpEndpoint.java, Line: 528, Method: processSocket
LeaderFollowerWorkerThread.java, Line: 81, Method: runIt
ThreadPool.java, Line: 689, Method: run
Thread.java, Line: 662, Method: run
</amLogEntry>


--
wxcn
------------------------------------------------------------------------
wxcn's Profile: https://forums.netiq.com/member.php?userid=2631
View this thread: https://forums.netiq.com/showthread.php?t=48675

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IDS cann't parse saml request because uncompatible character


The problem here is that the SAML request sent to the IDP doesn't
specify an encoding in the HTTP headers sent with the request.

According to the standard, for a HTTP post, if no character set is
specified, the encoding is assumed to be ISO-8859-1


Code:
--------------------
content-type, Value: application/x-www-form-urlencoded
--------------------


This should be something like:


Code:
--------------------
content-type, Value: application/x-www-form-urlencoded; charset=UTF-8
--------------------
(or whatever encoding the web service is actually using - maybe Big5 or
GB2312)

I don't think you can override this on the Access Manager side, so your
best option is to get the application fixed.


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=48675

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDS cann't parse saml request because uncompatible character


Actually, this could also be because SAML 2.0 post binding can be
configured to be sent as a compressed option.

I think that you must specifically configure NAM to handle this. The
documentation talks about this here.

http://tinyurl.com/k2jvyql

I've never had to configure this, so not entirely sure if this could
produce the type of errors you mentioned.


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=48675

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.