SAML Assertion parsing - AttributeValue with nested element

1. Configure sales-post-sig against testshib.org IdP ( https://idp.testshib.org/idp/profile/SAML2/POST/SSO ). <?xml version="1.0" encoding="UTF-8" ?> <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" CanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">   <IdentityURL>https://idp.testshib.org/idp/profile/SAML2/POST/SSO</IdentityURL> <ServiceURL>http://your.domain/sales-post-sig/</ServiceURL>   <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> <ValidatingAlias Key="127.0.0.1" Value="servercert" /> </KeyProvider>   </PicketLinkSP> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"> <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> <Option Key="CLOCK_SKEW_MILIS" Value="180" /> </Handler> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink> 2. Write your metadata file and register on testshib.org. <?xml version="1.0" encoding="UTF-8" ?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://your.domain/sales-post-sig/" validUntil="2012-12-30T01:00:00.000Z"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIB9DCCAV0CBElvalIwDQYJKoZIhvcNAQEEBQAwQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MB4XDTA5MDExNTE2NTQ0MloXDTA5MDQxNTE2NTQ0MlowQTELMAkGA1UEBhMCVVMxDjAMBgNVBAoTBUpCb3NzMQ4wDAYDVQQLEwVKQm9zczESMBAGA1UEAxMJamJpZCB0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDsqJo7vBYZ9+tlxfItxjezJntNZUTnAHNTTz8O+CVO+9JB6i2YkMoFN5rw3wp/xIqp0EA0fx2dhPTBFeR50BD73tjDBYqLBPP4Qdi9/AFZBpXcEG7aQtV73D6HKRc+YQQhDNddt+gG33GLmnCisOyMklE6J8rn55S2MgraOQbMowIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFthl5SFim6NXCsRzOl8VHDdrIskk9i571zQLEI1BW24IiDtAgQBY6YXb1kkEJ6GmlW44IWIBZLTRerYXAivdJTdW+9D+HCapByQeNfj7HnQlTz3UNkn6k2iagzYdJdnhgRZGpRWjf1t4skoJjvfL3HwkOWhSFKundbKcZSZwifI</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://your.domain/sales-post-sig/" index="0" /> </SPSSODescriptor> </EntityDescriptor> 2. Run sales-post-sig, open landing page, log in idp.testshib.org. 3. Then you should be redirected to the error.jsp and see in log: 2012-12-04 22:38:15,779 [http-apr-127.0.0.1-8080-exec-10] ERROR org.picketlink.identity.federation - Service Provider could not handle the request. org.picketlink.identity.federation.core.exceptions.ProcessingException: PL00102: Processing Exception: at org.picketlink.identity.federation.DefaultPicketLinkLogger.processingError(DefaultPicketLinkLogger.java:178) at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.decryptAssertion(SAML2AuthenticationHandler.java:456) at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:409) at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:134) at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:64) at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:105) at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:86) at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:422) at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:298) at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:253) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source) at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source) at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source) at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source) at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source) at org.apache.coyote.http11.AbstractHttp11Processor.process(Unknown Source) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown Source) at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722) Caused by: ParsingException [location=null]org.picketlink.identity.federation.core.exceptions.ParsingException: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[19,4013] Message: elementGetText() function expects text only elment but START_ELEMENT was encountered. at org.picketlink.identity.federation.DefaultPicketLinkLogger.parserException(DefaultPicketLinkLogger.java:429) at org.picketlink.identity.federation.core.parsers.util.StaxParserUtil.getElementText(StaxParserUtil.java:164) at org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil.parseAttributeValue(SAMLParserUtil.java:296) at org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil.parseAttributeType(SAMLParserUtil.java:276) at org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil.parseAttribute(SAMLParserUtil.java:229) at org.picketlink.identity.federation.core.parsers.util.SAMLParserUtil.parseAttributeStatement(SAMLParserUtil.java:204) at org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser.parse(SAMLAssertionParser.java:145) at org.picketlink.identity.federation.core.parsers.saml.SAMLParser.parse(SAMLParser.java:71) at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.decryptAssertion(SAML2AuthenticationHandler.java:450) ... 19 more Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[19,4013] Message: elementGetText() function expects text only elment but START_ELEMENT was encountered. at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.getElementText(XMLStreamReaderImpl.java:856) at com.sun.xml.internal.stream.XMLEventReaderImpl.getElementText(XMLEventReaderImpl.java:186) at org.picketlink.identity.federation.core.parsers.util.StaxParserUtil.getElementText(StaxParserUtil.java:161) ... 26 more