Error decoding / Cannot be cast to org.opensaml.saml2.core.AttributeQuery errors

Discussion:

Brinkman, Jeremy

2009-03-27 16:07:44 UTC

I am testing with an SP and am getting errors in the idp-process.log file. The errors below appear, then my browser is placed in a loop between the IdP and the SP.

11:53:52.415 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:140] - Decoding message with decoder binding urn:oasis:names:tc:SAML:2.0:bindings:SOAP
11:53:52.415 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:169] - Error decoding attribute query message
org.opensaml.ws.message.decoder.MessageDecodingException: SAML 2 message was not a request or a response
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.populateMessageIdIssueInstantIssuer(BaseSAML2MessageDecoder.java:117) [opensaml-2.2.3.jar:na]
...
11:53:52.415 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:255] - No metadata for relying party null, treating party as anonymous
11:53:52.415 - ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
java.lang.ClassCastException: org.opensaml.saml1.core.impl.RequestImpl cannot be cast to org.opensaml.saml2.core.AttributeQuery
at edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler.populateSAMLMessageInformation(AttributeQueryProfileHandler.java:220) [shibboleth-identityprovider-2.1.2.jar:na]
...

Can anyone tell by the errors where I should start looking?
Thank you,
Jeremy Brinkman

Scott Cantor

2009-03-27 17:05:28 UTC

Permalink

Post by Brinkman, Jeremy
I am testing with an SP and am getting errors in the idp-process.log file.
The errors below appear, then my browser is placed in a loop between the

IdP

Post by Brinkman, Jeremy
and the SP.
From that error, I have to suspect the SP in question is not Shibboleth, or

that you're incorrectly sticking an endpoint for queries in metadata as if
it were an endpoint for something else.

Post by Brinkman, Jeremy
Can anyone tell by the errors where I should start looking?

At what point is the SP trying to use this endpoint, and for what purpose?

-- Scott

Brent Putman

2009-03-27 17:52:21 UTC

Permalink

Post by Brinkman, Jeremy
11:53:52.415 - ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
java.lang.ClassCastException: org.opensaml.*saml1.*core.impl.RequestImpl cannot be cast to org.opensaml*.saml2.*core.AttributeQuery

Yeah, in line with what Scott said, looks like the SP in question is for
whatever reason (probably invalid metadata?) incorrectly sending a SAML
1 Request of some kind to the SAML 2 SOAP AttributeQuery endpoint.

E. Stuart Hicks

2009-03-27 23:35:37 UTC

Permalink

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
 
Brent Putman wrote:
<blockquote cite="mid:49CD1255.80107-***@public.gmane.org" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
 
Yeah, in line with what Scott said, looks like the SP in question is
for whatever reason (probably invalid metadata?) incorrectly sending a
SAML 1 Request of some kind to the SAML 2 SOAP AttributeQuery
endpoint.  
</blockquote>
 
This turned out to be a good clue as to what's going on. 
 
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location=<a class="moz-txt-link-rfc2396E" href="https://webauth.unoh.edu:8443/idp/profile/SAML2/SOAP/AttributeQuery">"https://webauth.unoh.edu:8443/idp/profile/SAML2/SOAP/AttributeQuery"</a>
/> 
 
InCommon doesn't support SAML2 yet and you've registered your 2.0
endpoints in 1.0 spots.  Try changing the InCommon IdP settings to use
<a class="moz-txt-link-freetext" href="https://webauth.unoh.edu:8443/idp/profile/SAML1/SOAP/AttributeQuery">https://webauth.unoh.edu:8443/idp/profile/SAML1/SOAP/AttributeQuery</a>
instead and
then we'll give it a day or 2 for the metadata to propagate. 
 
 
<pre class="moz-signature" cols="72">----------------------
E. Stuart Hicks
Access Manager / Systems Engineer
OhioLINK
<a class="moz-txt-link-abbreviated" href="mailto:stuart-hbROQncn9SD2fBVCVOL8/***@public.gmane.org">stuart-hbROQncn9SD2fBVCVOL8/***@public.gmane.org</a></pre>
 
 
</body>
</html>

Brinkman, Jeremy

2009-03-30 12:15:25 UTC

Permalink

Thanks All! I will give this a try.
Jeremy

From: E. Stuart Hicks [mailto:stuart-hbROQncn9SD2fBVCVOL8/***@public.gmane.org]
Sent: Friday, March 27, 2009 7:36 PM
To: shibboleth-users-H4aWS73dXup+***@public.gmane.org
Subject: Re: [Shib-Users] Error decoding / Cannot be cast to org.opensaml.saml2.core.AttributeQuery errors

Brent Putman wrote:

Yeah, in line with what Scott said, looks like the SP in question is for whatever reason (probably invalid metadata?) incorrectly sending a SAML 1 Request of some kind to the SAML 2 SOAP AttributeQuery endpoint.

This turned out to be a good clue as to what's going on.

<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://webauth.unoh.edu:8443/idp/profile/SAML2/SOAP/AttributeQuery"<https://webauth.unoh.edu:8443/idp/profile/SAML2/SOAP/AttributeQuery> />

InCommon doesn't support SAML2 yet and you've registered your 2.0 endpoints in 1.0 spots. Try changing the InCommon IdP settings to use https://webauth.unoh.edu:8443/idp/profile/SAML1/SOAP/AttributeQuery instead and then we'll give it a day or 2 for the metadata to propagate.

----------------------

E. Stuart Hicks

Access Manager / Systems Engineer

OhioLINK

stuart-hbROQncn9SD2fBVCVOL8/***@public.gmane.org<mailto:stuart-hbROQncn9SD2fBVCVOL8/***@public.gmane.org>