Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 Support Pack 2 applied
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 Support Pack 2 applied
Situation
Trying to build a SAML setup between the NAM Identity (IDP) server and a 3rd party SAML2 Service Provider (SP). After adding the new SP, and pasting the metadata to the metadata field, the following error appeared after clicking the next field:
The XML is malformed. cvc-datatype-valid.1.2.1: 'https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1' is not a valid value for 'NCName'.
Looking at the metadata, the URL referenced below was part of the ID in the EntityDescriptor header shown below:
The XML is malformed. cvc-datatype-valid.1.2.1: 'https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1' is not a valid value for 'NCName'.
Looking at the metadata, the URL referenced below was part of the ID in the EntityDescriptor header shown below:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1" cacheDuration="PT12H0M0.000S" entityID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/1/1" validUntil="2013-07-02T04:49:52.809Z"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> : :
Resolution
The ID field within the metadata is a unique identifier for that document only. Remove any reference to the ':' or '/' character and import the metadata again.
This is a NAM defect because technically the docs do not state what characters should or should not be used in the metadata ID field. from the metadata specs:
This is a NAM defect because technically the docs do not state what characters should or should not be used in the metadata ID field. from the metadata specs:
The specs do not stipulate what it has to be 2.3.2 Element <EntityDescriptor> The <EntityDescriptor> element specifies metadata for a single SAML entity. A single entity may act in many different roles in the support of multiple profiles. This specification directly supports the following concrete roles as well as the abstract <RoleDescriptor> element for extensibility (see subsequent sections for more details): • SSO Identity Provider • SSO Service Provider • Authentication Authority • Attribute Authority • Policy Decision Point • Affiliation Its EntityDescriptorType complex type consists of the following elements and attributes: entityID [Required] Specifies the unique identifier of the SAML entity whose metadata is described by the element's contents. ID [Optional] A document-unique identifier for the element, typically used as a reference point when signing.