Novell Home

My Favorites

Close

Please to see your favorites.

Error: "The XML is malformed" importing SAML2 metadata from 3rd party Service Provider

This document (7012757) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 Support Pack 2 applied

Situation

Trying to build a SAML setup between the NAM Identity (IDP) server and a 3rd party SAML2 Service Provider (SP). After adding the new SP, and pasting the metadata to the metadata field, the following error appeared after clicking the next field:

The XML is malformed. cvc-datatype-valid.1.2.1: 'https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1' is not a valid value for 'NCName'.

Looking at the metadata, the URL referenced below was part of the ID in the EntityDescriptor header shown below:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1"
cacheDuration="PT12H0M0.000S"
entityID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/1/1"
validUntil="2013-07-02T04:49:52.809Z"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
:




Resolution

The ID field within the metadata is a unique identifier for that document only. Remove any reference to the ':' or '/' character and import the metadata again.

This is a NAM defect because technically the docs do not state what characters should or should not be used in the metadata ID field. from the metadata specs:

The specs do not stipulate what it has to be 

 2.3.2 Element <EntityDescriptor>
The <EntityDescriptor> element specifies metadata for a single SAML entity. A
single entity may act
in many different roles in the support of multiple profiles. This specification
directly supports the following
concrete roles as well as the abstract <RoleDescriptor> element for
extensibility (see subsequent
sections for more details):
• SSO Identity Provider
• SSO Service Provider
• Authentication Authority
• Attribute Authority
• Policy Decision Point
• Affiliation
Its EntityDescriptorType complex type consists of the following elements and
attributes:
entityID [Required]
Specifies the unique identifier of the SAML entity whose metadata is described
by the element's
contents.
ID [Optional]
A document-unique identifier for the element, typically used as a reference
point when signing.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012757
  • Creation Date:02-JUL-13
  • Modified Date:02-JUL-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback