OpenSAML user discussion

[Manuela Stanica <>]

Hi,

thanks for your replies, it did help.

Chad La Joie wrote:
> > Do you mean you think that signing implies schema or signature 
> > validation?  Neither is true.
Not in general, but it's just the way our signing classes are built.

> > That error is pretty clear.  You don't have an ID in what you're 
> > trying to sign.  See SAML 2 metadata spec, line 374
>
> Yeah, we were just discussing this elsewhere.  The SAML 2 metadata 
> spec signature profile requires an ID attribute on the object to be 
> signed.  So  you should endeavor to do that if you want to be 
> spec-compliant.  However, it is apparently common that people sign 
> using whole document references (so Reference URI="" or absent), so 
> the patch I checked in Sunday to the SAML content reference now 
> supports signing in that manner if there is no ID attribute.  Note in 
> common usage in SAML 2 this could realistically only be metadata 
> (because ID is optional there, no so in assertion and protocol 
> elements), and you could only do it for the root EntityDescriptor or 
> EntitiesDescriptor obviously.
>
> It's really probably better if you always use an ID attribute, though.
I'm familiar with the ID attribute and the reason why I was confused is 
that in the metadata spec it appears as optional. Thanks for the info, 
and yes I think it's better to use it in our metadata after all. Having 
done that, I no longer get those errors but a new issue has come up. We 
are using in the metadata an extention to RoleDescriptor called 
OnlineCADescriptor and validation seems to fail when reaching this 
element. Here is how it looks in the xml file:

       <egmd:OnlineCADescriptor ID="testOnlineCA" 
protocolSupportEnumeration="urn:geant:edugain:protocol:1.0 
urn:mace:shibboleth:1.0"
        xmlns:egmd="urn:geant:edugain:metadata">
            <egmd:OnlineCAService
                  Location="https://eduGAIN.org/test/ca";>
                  <md:ServiceName xml:lang="en">Test 
OnlineCA</md:ServiceName>
                  <md:ServiceDescription xml:lang="en">eduGAIN test 
online CA service interface</md:ServiceDescription>
            </egmd:OnlineCAService>
        </egmd:OnlineCADescriptor>

The error I get is:
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content 
was found starting with element 'egmd:OnlineCADescriptor'. One of 
'{"urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, 
"urn:oasis:names:tc:SAML:2.0:metadata":Organization, 
"urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson, 
"urn:oasis:names:tc:SAML:2.0:metadata":AdditionalMetadataLocation}' is 
expected.
   at 
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown 
Source)
   at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
   at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
   at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
   at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
   at 
org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown 
Source)
...

I'm assuming this occurs because it's an extension and doesn't get 
recognised/doesn't validate against the schema (?) What do I need to do 
to have it work?

Thanks,
Manuela