Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Problems signing/validating metadata

Subject: OpenSAML user discussion

List archive

Re: Problems signing/validating metadata


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: Problems signing/validating metadata
  • Date: Tue, 12 Feb 2008 11:42:22 +0100
  • Organization: SWITCH



Manuela Stanica wrote:
That error is pretty clear. You don't have an ID in what you're trying to sign. See SAML 2 metadata spec, line 374

Yeah, we were just discussing this elsewhere. The SAML 2 metadata spec signature profile requires an ID attribute on the object to be signed. So you should endeavor to do that if you want to be spec-compliant. However, it is apparently common that people sign using whole document references (so Reference URI="" or absent), so the patch I checked in Sunday to the SAML content reference now supports signing in that manner if there is no ID attribute. Note in common usage in SAML 2 this could realistically only be metadata (because ID is optional there, no so in assertion and protocol elements), and you could only do it for the root EntityDescriptor or EntitiesDescriptor obviously.

It's really probably better if you always use an ID attribute, though.


I'm familiar with the ID attribute and the reason why I was confused is that in the metadata spec it appears as optional.

It's optional unless you want to sign it. Then you need an ID (at least you're supposed to have one, as Brent noted we allow you to not have it with the latest code).

Thanks for the info, and yes I think it's better to use it in our metadata after all. Having done that, I no longer get those errors but a new issue has come up. We are using in the metadata an extention to RoleDescriptor called OnlineCADescriptor and validation seems to fail when reaching this element. Here is how it looks in the xml file:

<egmd:OnlineCADescriptor ID="testOnlineCA" protocolSupportEnumeration="urn:geant:edugain:protocol:1.0 urn:mace:shibboleth:1.0"
xmlns:egmd="urn:geant:edugain:metadata">
<egmd:OnlineCAService
Location="https://eduGAIN.org/test/ca";>
<md:ServiceName xml:lang="en">Test OnlineCA</md:ServiceName>
<md:ServiceDescription xml:lang="en">eduGAIN test online CA service interface</md:ServiceDescription>
</egmd:OnlineCAService>
</egmd:OnlineCADescriptor>

The error I get is:
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'egmd:OnlineCADescriptor'. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":Organization, "urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson, "urn:oasis:names:tc:SAML:2.0:metadata":AdditionalMetadataLocation}' is expected.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
...

I'm assuming this occurs because it's an extension and doesn't get recognised/doesn't validate against the schema (?) What do I need to do to have it work?

Your XML is wrong. The metadata spec doesn't allow for new elements within a EntityDescriptor. If you create a new role you have to use <RoleDescriptor/> with an XSI type corresponding to your extension. So you'd have something like

<RoleDescriptor xsi:type="egmd:OnlineCADescriptor" />

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page