Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Problems signing/validating metadata

Subject: OpenSAML user discussion

List archive

Re: Problems signing/validating metadata


Chronological Thread 
  • From: Manuela Stanica <>
  • To:
  • Subject: Re: Problems signing/validating metadata
  • Date: Wed, 13 Feb 2008 10:46:31 +0100

Hi Brent,

thanks, I was happy to read your reply as it turns out what you describe is exactly what I had already done, in detail (following the model of how other RoleDescriptor implementations are constructed in openSAML). The only thing I haven't done is implementing object providers specifically as you said. What I'm doing is just registering them in the main marschaller class in my project after the bootstrap(), as in:
org.opensaml.xml.Configuration.registerObjectProvider(OnlineCADescriptor.DEFAULT_ELEMENT_NAME, new OnlineCADescriptorBuilder(),
new OnlineCADescriptorMarshaller(),new OnlineCADescriptorUnmarshaller(), null);
org.opensaml.xml.Configuration.registerObjectProvider(OnlineCAService.DEFAULT_ELEMENT_NAME, new OnlineCAServiceBuilder(),
new OnlineCAServiceMarshaller(),new OnlineCAServiceUnmarshaller(), null);

With that marshalling and unmarshalling the EntityDescriptor(s) containing the new types works just fine. It's only when trying to validate now the EntityDescriptor with a SAMLSchemaBuilder.getSAML10Schema().newValidator() that I get the error I mentioned:

org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'egmd:OnlineCADescriptor'. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":Organization, "urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson, "urn:oasis:names:tc:SAML:2.0:metadata":AdditionalMetadataLocation}' is expected.
ERROR net.geant.edugain.validation.Validator - document does not validate against SAML10 schema
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
......

Is there something else that I would need to do in terms of registering providers or so, the absence of which could cause the problem with validation?
I'll also take a look at the example you mentioned to see if it would help me gain some clarity about what I'm missing..

Manuela


Brent Putman wrote:
Chad, I think you're confusing RoleDescriptor with the EndpointType's (which BTW, for everyone else, themselves actually aren't xs:anyType, but have wildcard <any> elements and <anyAttribute> and we implement in a similar manner as the xs:anyType's).

In the metadata schema, RoleDescriptorType is just a standard global, named type. But it's abstract, and therefore so are the corresponding opensaml2 classes (impl, marshaller, unmarshaller), so that's why there's no builder - you can't build an element with that default type or with an explicit type declaration of xsi:type="RoleDescriptorType".

This is what you want to consult. It may be a little out of date.
https://spaces.internet2.edu/display/SHIB/OSTwoDeveloperManual

More specifically:

You need to extend the RoleDescriptor interface with a new interface that represents the things in your extension content model for the OnlineCADescriptor. Be sure to override the TYPE_LOCAL_NAME and TYPE_NAME constants.

Then supply a new non-abstract impl, which implements the new interface and extends RoleDescriptorImpl. Also extend RoleDescriptorMarshaller and -Unmarshaller appropriately.

Then supply a builder that builds the object.

Take a look at our code for one of the concrete SAML 2 role descriptors for an example, e.g. AttributeAuthorityDescriptor.

Also, you need to implement providers for whatever other new types/elements you may have defined as content of the role descriptor, such as egmd:OnlineCAService (looks like maybe a new type by extension of EndpointType?).

Finally register those new providers in a new config file and load the new providers into the runtime Configuration, either by extending DefaultBootstrap, or by using XMLConfigurator directly.


--Brent



Chad La Joie wrote:
<RoleDescriptor> is an any type. See the documentation on the OpenSAML user's manual.

https://spaces.internet2.edu/display/SHIB/OSTwoUsrManJavaAnyTypes

Manuela Stanica wrote:
Chad La Joie wrote:

Your XML is wrong. The metadata spec doesn't allow for new elements within a EntityDescriptor. If you create a new role you have to use <RoleDescriptor/> with an XSI type corresponding to your extension. So you'd have something like

<RoleDescriptor xsi:type="egmd:OnlineCADescriptor" />

When I first looked as how to go about including an OnlineCADescriptor I did want to build a RoleDescriptor but couldn't find any RoleDescriptorBuilder. So how can I create/build that element in order to inlcude it and marshall it in the metadata?

Manuela






Archive powered by MHonArc 2.6.16.

Top of Page