Error: "The XML is malformed" importing SAML2 metadata from 3rd party Service Provider

  • 7012757
  • 02-Jul-2013
  • 02-Jul-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 Support Pack 2 applied

Situation

Trying to build a SAML setup between the NAM Identity (IDP) server and a 3rd party SAML2 Service Provider (SP). After adding the new SP, and pasting the metadata to the metadata field, the following error appeared after clicking the next field:

The XML is malformed. cvc-datatype-valid.1.2.1: 'https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1' is not a valid value for 'NCName'.

Looking at the metadata, the URL referenced below was part of the ID in the EntityDescriptor header shown below:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/0/1"
cacheDuration="PT12H0M0.000S"
entityID="https://m00.testsps.n0v3ll.com/samlv2/idp/metadata/1/1"
validUntil="2013-07-02T04:49:52.809Z"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
:




Resolution

The ID field within the metadata is a unique identifier for that document only. Remove any reference to the ':' or '/' character and import the metadata again.

This is a NAM defect because technically the docs do not state what characters should or should not be used in the metadata ID field. from the metadata specs:

The specs do not stipulate what it has to be 

 2.3.2 Element <EntityDescriptor>
The <EntityDescriptor> element specifies metadata for a single SAML entity. A
single entity may act
in many different roles in the support of multiple profiles. This specification
directly supports the following
concrete roles as well as the abstract <RoleDescriptor> element for
extensibility (see subsequent
sections for more details):
• SSO Identity Provider
• SSO Service Provider
• Authentication Authority
• Attribute Authority
• Policy Decision Point
• Affiliation
Its EntityDescriptorType complex type consists of the following elements and
attributes:
entityID [Required]
Specifies the unique identifier of the SAML entity whose metadata is described
by the element's
contents.
ID [Optional]
A document-unique identifier for the element, typically used as a reference
point when signing.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.