Error: SAMLResponse is not valid base64-encoded XML

[deeptiranjandrb]

Discussed in #805

^{Originally posted by deeptiranjandrb November 8, 2022}
I am getting below error in my project:
Error: SAMLResponse is not valid base64-encoded XML at SAML.validatePostResponseAsync (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport-saml/lib/node-saml/saml.js:562:23) at MultiSamlStrategy.authenticate (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport-saml/lib/passport-saml/strategy.js:80:18) at /Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport-saml/lib/passport-saml/multiSamlStrategy.js:28:32 at findProvider (/Users/dbali00/Documents/pure_repos/customer-management-ui/routes/api-config/passport.js:31:14) at Object.getSamlOptions (/Users/dbali00/Documents/pure_repos/customer-management-ui/routes/api-config/passport.js:37:9) at MultiSamlStrategy.authenticate (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport-saml/lib/passport-saml/multiSamlStrategy.js:21:23) at attempt (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport/lib/middleware/authenticate.js:369:16) at authenticate (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/passport/lib/middleware/authenticate.js:370:7) at Layer.handle [as handle_request] (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/layer.js:95:5) at next (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/layer.js:95:5) at /Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/index.js:281:22 at Function.process_params (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/index.js:335:12) at next (/Users/dbali00/Documents/pure_repos/customer-management-ui/node_modules/express/lib/router/index.js:275:10) at /Users/dbali00/Documents/pure_repos/customer-management-ui/server-csr-proxy.js:109:5

Previously the same project was running after building. But it has stopped working. There are no code/package updates in the project.

I am using version 3.2.0 and tried upgrading to 3.2.4 but still I am receiving the same error. Can somebody please help me with the issue?

[srd90]

There doesn't seem to be any code changes in passport-saml's authn response handling execution path (between versions 3.2.0 -> 3.2.4) which (code change) would be executed prior to code line designated by your stacktrace.
See diff between passport-saml versions 3.2.0 and 3.2.4
(your stacktrace's exception is thrown at line 748 at src/node-saml/saml.ts... see aforementioned diff).

There has been changes in dependencies which are used to process authn response XML message.
Especially @xmldom/xmldom has had updates (and it was also updated at passport-saml's package.json between 3.2.0's

passport-saml/package.json

Line 53 in d5ab7be

"@xmldom/xmldom": "^0.7.5",

to 3.2.4's

passport-saml/package.json

Line 54 in 51f8e6b

"@xmldom/xmldom": "^0.7.6",

Because @xmldom/xmldom is ^0.7.5/^0.7.6 and if you have used npm install you might have any version of @xmldom/xmldom which full fill those semvers (e.g. 0.7.6, 0.7.7, 0.7.8 or 0.7.9).

See @xmldom/xmldom's CHANGELOG.md up to version 0.7.9:
https://github.com/xmldom/xmldom/blob/927392f627e8f9cf1ea051612c7996596a904c78/CHANGELOG.md

Especially fix introduced to @xmldom/xmldom's 0.7.7 might affect your service if your IdP is sending malformed (authn response) XML.

Use SAML tracer to capture authn response and see whether it is well-formed XML message (but do NOT post any SAML messages from production environment to github or to any other forums).

Another approach would be to write simple test program to test this functionality:

passport-saml/src/node-saml/saml.ts

Lines 744 to 748 in 51f8e6b

	xml = Buffer.from(container.SAMLResponse, "base64").toString("utf8");
	doc = parseDomFromString(xml);
	if (!Object.prototype.hasOwnProperty.call(doc, "documentElement"))
	throw new Error("SAMLResponse is not valid base64-encoded XML");

passport-saml/src/node-saml/xml.ts

Lines 141 to 143 in 51f8e6b

	export const parseDomFromString = (xml: string): Document => {
	return new xmldom.DOMParser().parseFromString(xml);
	};

Example of test program would be something like this (untested example code snippet):

// test with @xmldom/xmldom versions 0.7.5 ... 0.7.9
const xmldom = require(`@xmldom/xmldom');

const fooinput = "...base64encoded value i.e. value of SAMLResponse parameter...";
const xml = Buffer.from(fooinput, "base64").toString("utf8");
const doc = new xmldom.DOMParser().parseFromString(xml);
 if (!Object.prototype.hasOwnProperty.call(doc, "documentElement"))
    throw new Error("SAMLResponse is not valid base64-encoded XML");

BTW. you want to have version of @xmldom/xmldom with fix inroduced to its 0.7.7 version (i.e. do not consider pinning @xmldom/xmldom to older version). If your IdP is sending malformed XML contact IdP administrators.

[cjbarth]

In addition to the always helpful comments by @srd90 , I would also suggest that you use https://www.samltool.com/ to help you test the validity of your XML.

Also, since there is nothing in the discussion you linked to, or in this open issue, about your previously working setup, nor any information about what debugging you've tried, I'm going to close this. If you post with more information, we'll reopen it.