Thanks for your answer I'd like to share some stuff that I found this morning.
Take a look at those two error scenarios with the IDs captured from the Tracer's output: Scenario 1: SAML Tracer's captured ID="eiki1dt3f3msjcgaeilge51odfo0hkqu" When the ID starts with a letter the ADFS gives the following authentication error: Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'org.apache.cloudstack'. em Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message) em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) em Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) em Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) em Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) Which I believe is a Certificate related error, since I'm still learning how to properly generate a self-signed certificate using OpenSSL I was expecting this to happen. But there is another scenario where the previously reportted error appears. Scenario 2: Tracer's captured ID="5085t333p0nqg619mdulj6fe253ks9kg" System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID. Parameter name: value ---> System.Xml.XmlException: Name cannot begin with the '5' character, hexadecimal value 0x35. em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType) em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) --- End of inner exception stack trace --- em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) em Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message) --- End of inner exception stack trace --- em (...) Which is the same error I reported before but this time the ID starts with a 5 instead of a 7. I did some check and, if I'm not mistaken, the XML 1.1 standard defines the following for it's objects xml IDs: 'An xml:id processor must assure that the following constraints hold for all xml:id attributes: The normalized value of the attribute is an NCName according to the Namespaces in XML Recommendation which has the same version as the document in which this attribute occurs (NCName for XML 1.0, or NCName for XML 1.1).' Which leads us to the following Namespaces' grammar: [4] NCName ::= NCNameStartChar NCNameChar* /* An XML Name, minus the ":" */ Am I wrong or this says ALL XML IDs MUST start with a letter?Could this be a bug on CloudStack's SAML plugin? Sorry for the long answer and the bad english. Igor Steuck Lopes ----- Mensagem original ----- De: "Erik Weber" <terbol...@gmail.com> Para: "users" <users@cloudstack.apache.org> Enviadas: Terça-feira, 10 de maio de 2016 17:57:39 Assunto: Re: ADFS + CloudStack problem Thanks, the error message seems to come from the ADFS server. Could you intercept the SAML process? For firefox there is a plugin called 'SAML Tracer', getting the output of that could give us some hints. -- Erik On Tue, May 10, 2016 at 10:35 PM, Igor S. Lopes <i...@rsantos.eti.br> wrote: > Hi, thank you for your answer. Here is the translated error message: > > System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be > read because it contains data that is not valid. ---> > System.ArgumentException: ID4128: The value is not a valid SAML ID. > Parameter name: value ---> System.Xml.XmlException: Name cannot begin with > the '7' character, hexadecimal value 0x37. > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > exceptionType) > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > --- End of inner exception stack trace --- > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > em > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > reader, SamlMessage message) > --- End of inner exception stack trace --- > em > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > reader, SamlMessage message) > em > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader > reader) > em > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader > reader, NamespaceContext context) > em > Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String > encodedSamlMessage) > em > Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri > baseUrl, NameValueCollection collection) > em > Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri > requestUrl, NameValueCollection form) > em > Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest > httpRequest) > em > Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest > request, ProtocolContext& protocolContext) > em > Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest > request) > em > Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest > request, ProtocolContext& protocolContext, PassiveProtocolHandler& > protocolHandler) > em > Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext > context) > > System.ArgumentException: ID4128: The value is not a valid SAML ID. > Parameter name: value ---> System.Xml.XmlException: Name cannot begin with > the '7' character, hexadecimal value 0x37. > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > exceptionType) > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > --- End of inner exception stack trace --- > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > em > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > reader, SamlMessage message) > > System.Xml.XmlException: Name cannot begin with the '7' character, > hexadecimal value 0x37. > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > exceptionType) > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > There is a huge chance that I configured something wrong. > > Igor Steuck Lopes > > > ----- Mensagem original ----- > De: "Erik Weber" <terbol...@gmail.com> > Para: "users" <users@cloudstack.apache.org> > Enviadas: Terça-feira, 10 de maio de 2016 17:24:13 > Assunto: Re: ADFS + CloudStack problem > > I haven't tried since I wrote that post, but it worked back then. > > Any chance that you could translate the error messages? > > Erik > > Den tirsdag 10. mai 2016 skrev Igor S. Lopes <i...@rsantos.eti.br> > følgende: > > > Hi, > > I am working with CloudStack and I'm indending to use it as a Service > > Provider connected through SSO with our Active Directory Federation > Service > > . > > I have no Idea how to allow CloudStack to authenticate on the ADFS . > > I tried to follow this guide > > > http://www.terbolo.us/2015/06/how-to-set-up-apache-cloudstack-4-5-24-6-0-and-saml-2-0-authentication-against-microsoft-adfs/ > > but > > a few problems showed up: > > > > 1 - Even though I had set the URL metadata to https:// > <domain>/FederationMetadata/2007-06/FederationMetadata.xml > > when I checked /var/log/cloudstack/management/management-server.log > > for error messages I saw a few saying that CloudStack couldn't retrieve > > the metadata file. So I did it manually. > > > > 2 - I configured the ADFS claims as showed in the 'how-to' but the > > following error message shows up on my ADFS Event Logs. I already spent a > > couple hours browsing about this error but > > nothing really usefull came up: > > > > Error code: 364 > > (...) > > System.Xml.XmlException: MSIS0018: Não é possível ler a mensagem do > > protocolo SAML porque ela contém dados inválidos. ---> > > System.ArgumentException: ID4128: O valor não é um ID de SAML válido. > > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode > > ser iniciado pelo caractere '7', valor hexadecimal 0x37. > > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > > exceptionType) > > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > --- Fim do rastreamento de pilha de exceções internas --- > > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > em > > > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > > reader, SamlMessage message) > > --- Fim do rastreamento de pilha de exceções internas --- > > em > > > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > > reader, SamlMessage message) > > em > > > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader > > reader) > > em > > > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader > > reader, NamespaceContext context) > > em > > > Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String > > encodedSamlMessage) > > em > > > Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri > > baseUrl, NameValueCollection collection) > > em > > > Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri > > requestUrl, NameValueCollection form) > > em > > > Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest > > httpRequest) > > em > > > Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest > > request, ProtocolContext& protocolContext) > > em > > > Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest > > request) > > em > > > Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest > > request, ProtocolContext& protocolContext, PassiveProtocolHandler& > > protocolHandler) > > em > > > Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext > > context) > > > > System.ArgumentException: ID4128: O valor não é um ID de SAML válido. > > Nome do parâmetro: value ---> System.Xml.XmlException: Um nome não pode > > ser iniciado pelo caractere '7', valor hexadecimal 0x37. > > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > > exceptionType) > > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > --- Fim do rastreamento de pilha de exceções internas --- > > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > em > > > Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader > > reader, SamlMessage message) > > > > System.Xml.XmlException: Um nome não pode ser iniciado pelo caractere > '7', > > valor hexadecimal 0x37. > > em System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType > > exceptionType) > > em Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value) > > > > > > There is a few parts in brazilian portuguese, sorry about that. > > Did anyone succeeded in connecting CloudStack to an ADFS using the Saml > > plugin? > > > > Thank you in advance. > > > > Igor Steuck Lopes > > > > -- > > Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall. > > http://www.rsantos.eti.br > > > > -- > Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall. > http://www.rsantos.eti.br > -- Este email foi checado por SOPHOS UTM 9 SPAM & Virus Firewall. http://www.rsantos.eti.br
