saml icon indicating copy to clipboard operation
saml copied to clipboard
verified publisher icon zitadel

Using SLO in ZITADEL causes "XML syntax error on line 1: invalid UTF-8"

Open samtoxie opened this issue 10 months ago • 3 comments

Describe the bug I recently tried integrating ZITADEL with Zammad via saml. Everything seems to work properly, logging in etc all works. The only feature I found that does not work is the SLO functionality, which causes various XML syntax errors. Everytime SLO is attempted one of the following errors will be thrown, and SLO will not be completed:

2025-02-06 14:45:49.574	time="2025-02-06T13:45:49Z" level=error msg="XML syntax error on line 1: invalid UTF-8" caller="/home/runner/go/pkg/mod/github.com/zitadel/[email protected]/pkg/provider/checker/checker.go:112"
2025-02-06 14:45:21.229	time="2025-02-06T13:45:21Z" level=error msg="XML syntax error on line 1: invalid UTF-8" caller="/home/runner/go/pkg/mod/github.com/zitadel/[email protected]/pkg/provider/checker/checker.go:112"
2025-02-06 14:45:03.930	time="2025-02-06T13:45:03Z" level=error msg="XML syntax error on line 1: invalid character entity &# (no semicolon)" caller="/home/runner/go/pkg/mod/github.com/zitadel/[email protected]/pkg/provider/checker/checker.go:112"
2025-02-06 14:41:08.282	time="2025-02-06T13:41:08Z" level=error msg="XML syntax error on line 2: invalid UTF-8" caller="/home/runner/go/pkg/mod/github.com/zitadel/[email protected]/pkg/provider/checker/checker.go:112"
2025-02-06 14:39:48.617	time="2025-02-06T13:39:48Z" level=error msg="XML syntax error on line 2: invalid UTF-8" caller="/home/runner/go/pkg/mod/github.com/zitadel/[email protected]/pkg/provider/checker/checker.go:112"

I suspect it might be due to the XML being compressed or something like that? However I'm not that familiar with saml to really understand the problem, if it were up to me OIDC is the only way to go :P. When I try to decode the request using samltool.io I also cant see anything wrong, see screenshot below.

To Reproduce Steps to reproduce the behavior:

  1. Link Zammad to ZITADEL using saml
  2. Sign in using saml
  3. Click on logout in Zammad
  4. Observe the error in the browser
  5. Same error can be found in the logs

Expected behavior Expected behaviour would be ZITADEL accepting and processing the SLO request.

Screenshots Image

Image

Desktop (please complete the following information):

  • OS: Linux and Mac
  • Browser Chrome, safari and Firefox
  • Version latest greatest

Additional context N/A

samtoxie avatar Feb 11 '25 08:02 samtoxie

Let me know if this is the right place for this report, I wasn't sure if it would be better in the zitadel repo or for the saml library.

samtoxie avatar Feb 11 '25 08:02 samtoxie

This happened in my case (Nextcloud SAML App) when sending the SLO SAMLRequest without an additional SAMLEncoding query parameter set to urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE

In case someone else struggles with the Nextcloud SAML App, you can add the SAMLEncoding parameter in the settings and the SAMLRequest will be merged into the query.

Image

andrinheusser avatar May 25 '25 14:05 andrinheusser

This happened in my case (Nextcloud SAML App) when sending the SLO SAMLRequest without an additional SAMLEncoding query parameter set to urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE

In case someone else struggles with the Nextcloud SAML App, you can add the SAMLEncoding parameter in the settings and the SAMLRequest will be merged into the query.

Image

Ah nice, thanks for sharing. The application I used it for now support OpenID Connect, so my fix was just switching to that instead of SAML xD

samtoxie avatar May 26 '25 12:05 samtoxie