SAML in Mendix v4 error on metadata import: DerInputStream.getLength(): lengthTag=127, too big.

Hi All,   I have a strange situation here.  I am using the SAML 2 module in the cloud and am importing the IdP metadata by file.  This works just fine locally, but when I attempt to do the import in the cloud, I get an error when I click 'refresh metadata' or after selecting the IdP Metadata xml file in the wizard.  The error is: 1:31:23 AM sys INFO at org.eclipse.jetty.http.HttpParser.parseAvailable( 1:31:23 AM sys INFO at 1:31:23 AM sys INFO at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( 1:31:23 AM sys INFO at$ 1:31:23 AM sys INFO Caused by: DerInputStream.getLength(): lengthTag=127, too big. 1:31:23 AM sys INFO at org.eclipse.jetty.util.thread.QueuedThreadPool$ 1:31:23 AM sys INFO at ... I know this is the way we are parsing the <ns1:X509Certificate> field in my xml, which is a big long string of characters.  I am sure of this because if I remove this field from my XML I can import it just fine (SAML doesn't work in this case, of course).  I have used the same file when Setting up SSO in Mendix 6 on the v3 cloud, but now that I am in Mendix 7 on the v4 cloud there is an issue.  When I perform this activity locally using Mendix 6 and 7 it works fine.  I am on version 7.2 which isn't in the dropdown Has anyone seen this error before in parsing an X509 certificate or any other XML within the Mendix platform?   Thanks, Rob  
3 answers

I've got the SAML module working in Mx 7.1.1 with the Cloud V4. The importance what I foud was that the content of the certificates of the ADFS Metadata XML isn't imported correctly by Mendix. I've tested this with printing the raw certificate data in the console log from the Java ''. In the cloud the raw data was completely different than locally. Where locally the raw data is the same as the Base64 binary of the Metadata XML.

What I did:

  • In the XML-to-domain mapping for the Metadata XML I've changed the binary contents from the filedocument contents to the base64 String. 
  • In the Java I've just picked up that string in the '' and changed to functions:
public static void extractCertificateMetaData( IContext context, IMendixObject certObj ) throws IOException, CertificateException {
	X509Certificate cert = X509Certificate.initialize(context, certObj);		
	// Verify the certificate content and extract the basic information such as issuer/subject/etc
	String contents = getCertificateContents(cert.getBase64());

And just parse the Base64 raw data as certificate without the header and footer.

public static String getCertificateContents( String tagValue ) throws CertificateException, IOException {
	//tagValue = "-----BEGIN CERTIFICATE-----\r\n" + StringUtils.trim(tagValue) + "\r\n-----END CERTIFICATE-----";
	InputStream inStream = new ByteArrayInputStream(Base64.getDecoder().decode(tagValue.trim()));

	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	Certificate cert = cf.generateCertificate(inStream);

	return cert.toString();

For me this got it working with the help of stackoverflow


Did you have a look at ? A bug seems unlikely here.


New version  available for this issue according to the release notes: