You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "Igor S. Lopes" <ig...@rsantos.eti.br> on 2016/05/10 19:04:17 UTC
ADFS + CloudStack problem
Hi,
I am working with CloudStack and I'm indending to use it as a Service Provider connected through SSO with our Active Directory Federation Service .
I have no Idea how to allow CloudStack to authenticate on the ADFS .
I tried to follow this guide http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/ but
a few problems showed up:
1 - Even though I had set the URL metadata to https://<domain>/FederationMetadata/2007-06/FederationMetadata.xml when I checked /var/log/cloudstack/management/management-server.log
for error messages I saw a few saying that CloudStack couldn't retrieve the metadata file. So I did it manually.
2 - I configured the ADFS claims as showed in the 'how-to' but the following error message shows up on my ADFS Event Logs. I already spent a couple hours browsing about this error but
nothing really usefull came up:
Error code: 364
(...)
System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do protocolo SAML porque ela contém dados inválidos. ---> System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- Fim do rastreamento de pilha de exceções internas ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
--- Fim do rastreamento de pilha de exceções internas ---
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
em Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
em Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
em Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
em Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- Fim do rastreamento de pilha de exceções internas ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
There is a few parts in brazilian portuguese, sorry about that.
Did anyone succeeded in connecting CloudStack to an ADFS using the Saml plugin?
Thank you in advance.
Igor Steuck Lopes
--
Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
http://www.rsantos.eti.br
RE: ADFS + CloudStack problem
Posted by Rohit Yadav <ro...@shapeblue.com>.
Igor, have you added CloudStack's SP metadata to your MS ADFS SAML IDP? You'll need to authorize CloudStack SP first.
I've not configured or tested MS ADFS with CloudStack's SAML plugin but I know Erik has more experience with the configuration/authorization.
Regards.
Regards,
Rohit Yadav
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
-----Original Message-----
From: Igor S. Lopes [mailto:igor@rsantos.eti.br]
Sent: Wednesday, May 11, 2016 5:44 PM
To: users <us...@cloudstack.apache.org>
Subject: Re: ADFS + CloudStack problem
Thanks for your answer
I'd like to share some stuff that I found this morning.
Take a look at those two error scenarios with the IDs captured from the Tracer's output:
Scenario 1:
SAML Tracer's captured ID="eiki1dt3f3msjcgaeilge51odfo0hkqu"
When the ID starts with a letter the ADFS gives the following authentication error:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'org.apache.cloudstack'.
em Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Which I believe is a Certificate related error, since I'm still learning how to properly generate a self-signed certificate using OpenSSL I was expecting this to happen. But there is another scenario where the previously reportted error appears.
Scenario 2:
Tracer's captured ID="5085t333p0nqg619mdulj6fe253ks9kg"
System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '5' character, hexadecimal value 0x35.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- End of inner exception stack trace ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
--- End of inner exception stack trace ---
em
(...)
Which is the same error I reported before but this time the ID starts with a 5 instead of a 7.
I did some check and, if I'm not mistaken, the XML 1.1 standard defines the following for it's objects xml IDs:
'An xml:id processor must assure that the following constraints hold for all xml:id attributes:
The normalized value of the attribute is an NCName according to the Namespaces in XML Recommendation which has the same version as the document in which this attribute occurs (NCName for XML 1.0, or NCName for XML 1.1).'
Which leads us to the following Namespaces' grammar:
[4] NCName ::= NCNameStartChar NCNameChar* /* An XML Name, minus the ":" */
Am I wrong or this says ALL XML IDs MUST start with a letter?Could this be a bug on CloudStack's SAML plugin?
Sorry for the long answer and the bad english.
Igor Steuck Lopes
----- Mensagem original -----
De: "Erik Weber" <te...@gmail.com>
Para: "users" <us...@cloudstack.apache.org>
Enviadas: Terça-feira, 10 de maio de 2016 17:57:39
Assunto: Re: ADFS + CloudStack problem
Thanks, the error message seems to come from the ADFS server. Could you intercept the SAML process?
For firefox there is a plugin called 'SAML Tracer', getting the output of that could give us some hints.
--
Erik
On Tue, May 10, 2016 at 10:35 PM, Igor S. Lopes <ig...@rsantos.eti.br> wrote:
> Hi, thank you for your answer. Here is the translated error message:
>
> System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be
> read because it contains data that is not valid. --->
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin
> with the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
> --- End of inner exception stack trace ---
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAut
> hnRequest(XmlReader
> reader)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSam
> lMessage(XmlReader
> reader, NamespaceContext context)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Read
> ProtocolMessage(String
> encodedSamlMessage)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Crea
> teFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSeriali
> zer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.Cre
> ateMessage(WrappedHttpListenerRequest
> httpRequest)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateP
> rotocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Create
> ProtocolContext(WrappedHttpListenerRequest
> request)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandle
> r(WrappedHttpListenerRequest request, ProtocolContext&
> protocolContext, PassiveProtocolHandler&
> protocolHandler)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrap
> pedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin
> with the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Name cannot begin with the '7' character,
> hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
> There is a huge chance that I configured something wrong.
>
> Igor Steuck Lopes
>
>
> ----- Mensagem original -----
> De: "Erik Weber" <te...@gmail.com>
> Para: "users" <us...@cloudstack.apache.org>
> Enviadas: Terça-feira, 10 de maio de 2016 17:24:13
> Assunto: Re: ADFS + CloudStack problem
>
> I haven't tried since I wrote that post, but it worked back then.
>
> Any chance that you could translate the error messages?
>
> Erik
>
> Den tirsdag 10. mai 2016 skrev Igor S. Lopes <ig...@rsantos.eti.br>
> følgende:
>
> > Hi,
> > I am working with CloudStack and I'm indending to use it as a
> > Service Provider connected through SSO with our Active Directory
> > Federation
> Service
> > .
> > I have no Idea how to allow CloudStack to authenticate on the ADFS .
> > I tried to follow this guide
> >
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6
> -0-and-saml-2-0-authentication-against-microsoft-adfs/
> > but
> > a few problems showed up:
> >
> > 1 - Even though I had set the URL metadata to https://
> <domain>/FederationMetadata/2007-06/FederationMetadata.xml
> > when I checked /var/log/cloudstack/management/management-server.log
> > for error messages I saw a few saying that CloudStack couldn't
> > retrieve the metadata file. So I did it manually.
> >
> > 2 - I configured the ADFS claims as showed in the 'how-to' but the
> > following error message shows up on my ADFS Event Logs. I already
> > spent a couple hours browsing about this error but nothing really
> > usefull came up:
> >
> > Error code: 364
> > (...)
> > System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do
> > protocolo SAML porque ela contém dados inválidos. --->
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não
> > pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas --- em
> > Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> > --- Fim do rastreamento de pilha de exceções internas --- em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAut
> hnRequest(XmlReader
> > reader)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSam
> lMessage(XmlReader
> > reader, NamespaceContext context)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Read
> ProtocolMessage(String
> > encodedSamlMessage)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.Crea
> teFromNameValueCollection(Uri
> > baseUrl, NameValueCollection collection) em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSeriali
> zer.ReadMessage(Uri
> > requestUrl, NameValueCollection form) em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.Cre
> ateMessage(WrappedHttpListenerRequest
> > httpRequest)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateP
> rotocolContextFromRequest(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext) em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Create
> ProtocolContext(WrappedHttpListenerRequest
> > request)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandle
> r(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> > protocolHandler)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrap
> pedHttpListenerContext
> > context)
> >
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não
> > pode ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas --- em
> > Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCom
> monAttributes(XmlReader
> > reader, SamlMessage message)
> >
> > System.Xml.XmlException: Um nome não pode ser iniciado pelo
> > caractere
> '7',
> > valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> >
> >
> > There is a few parts in brazilian portuguese, sorry about that.
> > Did anyone succeeded in connecting CloudStack to an ADFS using the
> > Saml plugin?
> >
> > Thank you in advance.
> >
> > Igor Steuck Lopes
> >
> > --
> > Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> > http://www.rsantos.eti.br
> >
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> http://www.rsantos.eti.br
>
--
Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
http://www.rsantos.eti.br
Re: ADFS + CloudStack problem
Posted by "Igor S. Lopes" <ig...@rsantos.eti.br>.
Thanks for your answer
I'd like to share some stuff that I found this morning.
Take a look at those two error scenarios with the IDs captured from the Tracer's output:
Scenario 1:
SAML Tracer's captured ID="eiki1dt3f3msjcgaeilge51odfo0hkqu"
When the ID starts with a letter the ADFS gives the following authentication error:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'org.apache.cloudstack'.
em Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Which I believe is a Certificate related error, since I'm still learning how to properly generate a self-signed certificate using OpenSSL I was expecting this to happen. But there is another scenario where the previously reportted error appears.
Scenario 2:
Tracer's captured ID="5085t333p0nqg619mdulj6fe253ks9kg"
System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '5' character, hexadecimal value 0x35.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- End of inner exception stack trace ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
--- End of inner exception stack trace ---
em
(...)
Which is the same error I reported before but this time the ID starts with a 5 instead of a 7.
I did some check and, if I'm not mistaken, the XML 1.1 standard defines the following for it's objects xml IDs:
'An xml:id processor must assure that the following constraints hold for all xml:id attributes:
The normalized value of the attribute is an NCName according to the Namespaces in XML Recommendation which has the same version as the document in which this attribute occurs (NCName for XML 1.0, or NCName for XML 1.1).'
Which leads us to the following Namespaces' grammar:
[4] NCName ::= NCNameStartChar NCNameChar* /* An XML Name, minus the ":" */
Am I wrong or this says ALL XML IDs MUST start with a letter?Could this be a bug on CloudStack's SAML plugin?
Sorry for the long answer and the bad english.
Igor Steuck Lopes
----- Mensagem original -----
De: "Erik Weber" <te...@gmail.com>
Para: "users" <us...@cloudstack.apache.org>
Enviadas: Terça-feira, 10 de maio de 2016 17:57:39
Assunto: Re: ADFS + CloudStack problem
Thanks, the error message seems to come from the ADFS server. Could you
intercept the SAML process?
For firefox there is a plugin called 'SAML Tracer', getting the output of
that could give us some hints.
--
Erik
On Tue, May 10, 2016 at 10:35 PM, Igor S. Lopes <ig...@rsantos.eti.br> wrote:
> Hi, thank you for your answer. Here is the translated error message:
>
> System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be
> read because it contains data that is not valid. --->
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin with
> the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> --- End of inner exception stack trace ---
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> reader)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> reader, NamespaceContext context)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> encodedSamlMessage)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> baseUrl, NameValueCollection collection)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> httpRequest)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> request)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> protocolHandler)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin with
> the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Name cannot begin with the '7' character,
> hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
> There is a huge chance that I configured something wrong.
>
> Igor Steuck Lopes
>
>
> ----- Mensagem original -----
> De: "Erik Weber" <te...@gmail.com>
> Para: "users" <us...@cloudstack.apache.org>
> Enviadas: Terça-feira, 10 de maio de 2016 17:24:13
> Assunto: Re: ADFS + CloudStack problem
>
> I haven't tried since I wrote that post, but it worked back then.
>
> Any chance that you could translate the error messages?
>
> Erik
>
> Den tirsdag 10. mai 2016 skrev Igor S. Lopes <ig...@rsantos.eti.br>
> følgende:
>
> > Hi,
> > I am working with CloudStack and I'm indending to use it as a Service
> > Provider connected through SSO with our Active Directory Federation
> Service
> > .
> > I have no Idea how to allow CloudStack to authenticate on the ADFS .
> > I tried to follow this guide
> >
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/
> > but
> > a few problems showed up:
> >
> > 1 - Even though I had set the URL metadata to https://
> <domain>/FederationMetadata/2007-06/FederationMetadata.xml
> > when I checked /var/log/cloudstack/management/management-server.log
> > for error messages I saw a few saying that CloudStack couldn't retrieve
> > the metadata file. So I did it manually.
> >
> > 2 - I configured the ADFS claims as showed in the 'how-to' but the
> > following error message shows up on my ADFS Event Logs. I already spent a
> > couple hours browsing about this error but
> > nothing really usefull came up:
> >
> > Error code: 364
> > (...)
> > System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do
> > protocolo SAML porque ela contém dados inválidos. --->
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> > ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> > reader)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> > reader, NamespaceContext context)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> > encodedSamlMessage)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> > baseUrl, NameValueCollection collection)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> > requestUrl, NameValueCollection form)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> > httpRequest)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> > request)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> > protocolHandler)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> > context)
> >
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> > ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> >
> > System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere
> '7',
> > valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> >
> >
> > There is a few parts in brazilian portuguese, sorry about that.
> > Did anyone succeeded in connecting CloudStack to an ADFS using the Saml
> > plugin?
> >
> > Thank you in advance.
> >
> > Igor Steuck Lopes
> >
> > --
> > Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> > http://www.rsantos.eti.br
> >
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> http://www.rsantos.eti.br
>
--
Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
http://www.rsantos.eti.br
Re: ADFS + CloudStack problem
Posted by Erik Weber <te...@gmail.com>.
Thanks, the error message seems to come from the ADFS server. Could you
intercept the SAML process?
For firefox there is a plugin called 'SAML Tracer', getting the output of
that could give us some hints.
--
Erik
On Tue, May 10, 2016 at 10:35 PM, Igor S. Lopes <ig...@rsantos.eti.br> wrote:
> Hi, thank you for your answer. Here is the translated error message:
>
> System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be
> read because it contains data that is not valid. --->
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin with
> the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> --- End of inner exception stack trace ---
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> reader)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> reader, NamespaceContext context)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> encodedSamlMessage)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> baseUrl, NameValueCollection collection)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> httpRequest)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> request)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> protocolHandler)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: The value is not a valid SAML ID.
> Parameter name: value ---> System.Xml.XmlException: Name cannot begin with
> the '7' character, hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- End of inner exception stack trace ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Name cannot begin with the '7' character,
> hexadecimal value 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
> There is a huge chance that I configured something wrong.
>
> Igor Steuck Lopes
>
>
> ----- Mensagem original -----
> De: "Erik Weber" <te...@gmail.com>
> Para: "users" <us...@cloudstack.apache.org>
> Enviadas: Terça-feira, 10 de maio de 2016 17:24:13
> Assunto: Re: ADFS + CloudStack problem
>
> I haven't tried since I wrote that post, but it worked back then.
>
> Any chance that you could translate the error messages?
>
> Erik
>
> Den tirsdag 10. mai 2016 skrev Igor S. Lopes <ig...@rsantos.eti.br>
> følgende:
>
> > Hi,
> > I am working with CloudStack and I'm indending to use it as a Service
> > Provider connected through SSO with our Active Directory Federation
> Service
> > .
> > I have no Idea how to allow CloudStack to authenticate on the ADFS .
> > I tried to follow this guide
> >
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/
> > but
> > a few problems showed up:
> >
> > 1 - Even though I had set the URL metadata to https://
> <domain>/FederationMetadata/2007-06/FederationMetadata.xml
> > when I checked /var/log/cloudstack/management/management-server.log
> > for error messages I saw a few saying that CloudStack couldn't retrieve
> > the metadata file. So I did it manually.
> >
> > 2 - I configured the ADFS claims as showed in the 'how-to' but the
> > following error message shows up on my ADFS Event Logs. I already spent a
> > couple hours browsing about this error but
> > nothing really usefull came up:
> >
> > Error code: 364
> > (...)
> > System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do
> > protocolo SAML porque ela contém dados inválidos. --->
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> > ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> > reader)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> > reader, NamespaceContext context)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> > encodedSamlMessage)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> > baseUrl, NameValueCollection collection)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> > requestUrl, NameValueCollection form)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> > httpRequest)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext)
> > em
> >
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> > request)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> > request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> > protocolHandler)
> > em
> >
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> > context)
> >
> > System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> > ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > --- Fim do rastreamento de pilha de exceções internas ---
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> > em
> >
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> > reader, SamlMessage message)
> >
> > System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere
> '7',
> > valor hexadecimal 0x37.
> > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> > exceptionType)
> > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> >
> >
> > There is a few parts in brazilian portuguese, sorry about that.
> > Did anyone succeeded in connecting CloudStack to an ADFS using the Saml
> > plugin?
> >
> > Thank you in advance.
> >
> > Igor Steuck Lopes
> >
> > --
> > Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> > http://www.rsantos.eti.br
> >
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> http://www.rsantos.eti.br
>
Re: ADFS + CloudStack problem
Posted by "Igor S. Lopes" <ig...@rsantos.eti.br>.
Hi, thank you for your answer. Here is the translated error message:
System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '7' character, hexadecimal value 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- End of inner exception stack trace ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
--- End of inner exception stack trace ---
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
em Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
em Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
em Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
em Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
System.ArgumentException: ID4128: The value is not a valid SAML ID.
Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '7' character, hexadecimal value 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
--- End of inner exception stack trace ---
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
System.Xml.XmlException: Name cannot begin with the '7' character, hexadecimal value 0x37.
em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
There is a huge chance that I configured something wrong.
Igor Steuck Lopes
----- Mensagem original -----
De: "Erik Weber" <te...@gmail.com>
Para: "users" <us...@cloudstack.apache.org>
Enviadas: Terça-feira, 10 de maio de 2016 17:24:13
Assunto: Re: ADFS + CloudStack problem
I haven't tried since I wrote that post, but it worked back then.
Any chance that you could translate the error messages?
Erik
Den tirsdag 10. mai 2016 skrev Igor S. Lopes <ig...@rsantos.eti.br> følgende:
> Hi,
> I am working with CloudStack and I'm indending to use it as a Service
> Provider connected through SSO with our Active Directory Federation Service
> .
> I have no Idea how to allow CloudStack to authenticate on the ADFS .
> I tried to follow this guide
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/
> but
> a few problems showed up:
>
> 1 - Even though I had set the URL metadata to https://<domain>/FederationMetadata/2007-06/FederationMetadata.xml
> when I checked /var/log/cloudstack/management/management-server.log
> for error messages I saw a few saying that CloudStack couldn't retrieve
> the metadata file. So I did it manually.
>
> 2 - I configured the ADFS claims as showed in the 'how-to' but the
> following error message shows up on my ADFS Event Logs. I already spent a
> couple hours browsing about this error but
> nothing really usefull came up:
>
> Error code: 364
> (...)
> System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do
> protocolo SAML porque ela contém dados inválidos. --->
> System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- Fim do rastreamento de pilha de exceções internas ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> --- Fim do rastreamento de pilha de exceções internas ---
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> reader)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> reader, NamespaceContext context)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> encodedSamlMessage)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> baseUrl, NameValueCollection collection)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> httpRequest)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> request)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> protocolHandler)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- Fim do rastreamento de pilha de exceções internas ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere '7',
> valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
>
> There is a few parts in brazilian portuguese, sorry about that.
> Did anyone succeeded in connecting CloudStack to an ADFS using the Saml
> plugin?
>
> Thank you in advance.
>
> Igor Steuck Lopes
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> http://www.rsantos.eti.br
>
--
Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
http://www.rsantos.eti.br
Re: ADFS + CloudStack problem
Posted by Erik Weber <te...@gmail.com>.
I haven't tried since I wrote that post, but it worked back then.
Any chance that you could translate the error messages?
Erik
Den tirsdag 10. mai 2016 skrev Igor S. Lopes <ig...@rsantos.eti.br> følgende:
> Hi,
> I am working with CloudStack and I'm indending to use it as a Service
> Provider connected through SSO with our Active Directory Federation Service
> .
> I have no Idea how to allow CloudStack to authenticate on the ADFS .
> I tried to follow this guide
> http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/
> but
> a few problems showed up:
>
> 1 - Even though I had set the URL metadata to https://<domain>/FederationMetadata/2007-06/FederationMetadata.xml
> when I checked /var/log/cloudstack/management/management-server.log
> for error messages I saw a few saying that CloudStack couldn't retrieve
> the metadata file. So I did it manually.
>
> 2 - I configured the ADFS claims as showed in the 'how-to' but the
> following error message shows up on my ADFS Event Logs. I already spent a
> couple hours browsing about this error but
> nothing really usefull came up:
>
> Error code: 364
> (...)
> System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do
> protocolo SAML porque ela contém dados inválidos. --->
> System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- Fim do rastreamento de pilha de exceções internas ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> --- Fim do rastreamento de pilha de exceções internas ---
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader
> reader)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader
> reader, NamespaceContext context)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String
> encodedSamlMessage)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri
> baseUrl, NameValueCollection collection)
> em
> Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri
> requestUrl, NameValueCollection form)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest
> httpRequest)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext)
> em
> Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest
> request)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest
> request, ProtocolContext& protocolContext, PassiveProtocolHandler&
> protocolHandler)
> em
> Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
> context)
>
> System.ArgumentException: ID4128: O valor não é um ID de SAML válido.
> Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode
> ser iniciado pelo caractere '7', valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> --- Fim do rastreamento de pilha de exceções internas ---
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
> em
> Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader
> reader, SamlMessage message)
>
> System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere '7',
> valor hexadecimal 0x37.
> em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType
> exceptionType)
> em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
>
>
> There is a few parts in brazilian portuguese, sorry about that.
> Did anyone succeeded in connecting CloudStack to an ADFS using the Saml
> plugin?
>
> Thank you in advance.
>
> Igor Steuck Lopes
>
> --
> Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall.
> http://www.rsantos.eti.br
>