CODEWITHSUNDEEP
samladfspac4j
gaust
gaust

Reputation: 11

pac4j SAML migration from 5.7.7 to 6.0.0 RoleDescriptor Error

After migrating from pac4j 5.7.7 to 6.0.0, our SAML login from ADFS doesn't work anymore because of that error:

org.opensaml.core.xml.io.UnmarshallingException: Saw invalid child element {urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor on parent {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor

Error initializing idp metadata resolver
org.pac4j.core.exception.TechnicalException: Error initializing idp metadata resolver
    at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.initializeMetadataResolver(SAML2IdentityProviderMetadataResolver.java:108)
    at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.internalLoad(SAML2IdentityProviderMetadataResolver.java:78)
    at org.pac4j.core.resource.SpringResourceLoader.load(SpringResourceLoader.java:50)
    at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.resolve(SAML2IdentityProviderMetadataResolver.java:71)
    at org.pac4j.saml.client.SAML2Client.initIdentityProviderMetadataResolver(SAML2Client.java:221)
    at org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:115)
    at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:61)
    at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:38)
    at org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:115)
    at org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:240)
    at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:160)
Caused by: net.shibboleth.shared.component.ComponentInitializationException: Unable to unmarshall metadata element
    at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:67)
    at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:373)
    at net.shibboleth.shared.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:62)
    at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.initializeMetadataResolver(SAML2IdentityProviderMetadataResolver.java:103)
Caused by: org.opensaml.core.xml.io.UnmarshallingException: Saw invalid child element {urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor on parent {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor
    at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.processChildElement(AbstractXMLObjectUnmarshaller.java:383)
    at org.opensaml.saml.saml2.metadata.impl.EntityDescriptorUnmarshaller.processChildElement(EntityDescriptorUnmarshaller.java:64)
    at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348)
    at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139)
    at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:60)

Does someone has an idea what changes in pac4j 6.0 cause this error ? and how to correct it ? thanks!

============= UPDATE ============= after digging throw logs and comparing the logs genrated by v5.7.7 and v6.1.0: the differences are after Pac4jHTTPPostDecoder - TokenController - Decoded SAML message i've got more logs from SAML2IdentityProviderMetadataResolver and SAML2AuthnResponseValidator in 5.7.7 but none of that in v6.1.0...

Upvotes: 0

Views: 52

Answers (1)

jleleu
jleleu

Reputation: 2699

pac4j v6 comes with OpenSAML v5 so the parsing may be more strict. Maybe there is something wrong in your SAML IdP metadata, like some extra line before <?xml or something like that.

Upvotes: 0

Related Questions