OpenSAML user discussion

["Lhunath (Maarten B.)" <>]

On 17 Dec 2009, at 13:18, Lhunath (Maarten B.) wrote:
> 
> I'm working on generating SAMLv2 metadata using OpenSAML for consumption by 
> Sun's OpenSSO.
> 
> I've set up the OpenSAML part and am generating metadata for three 
> services.  OpenSSO, however, is not accepting the resulting metadata.
> 
> The following generated metadata causes OpenSSO to say "Unable to find 
> certificate to verify signature under element "EntityDescriptor"."
> http://stuff.lhunath.com/metadata-no-cert-found.xml
> 
> I then attempted explicitly adding KeyInfo to the Signature on my 
> EntityDescriptor root element, which got me a bit "further":
> 
> The following generated metadata causes OpenSSO to say "Unexpected element 
> {urn:oasis:names:tc:SAML:2.0:metadata}:KeyDescriptor"
> http://stuff.lhunath.com/metadata-unexpected-key.xml
> 
> Removing the KeyDescriptors from the metadata altogether (do they serve a 
> specific purpose still when they all specify the same certificate and it's 
> now specified in the Signature's KeyInfo?) gave me another message yet:
> 
> The following generated metadata causes OpenSSO to say "Unexpected element 
> {urn:oasis:names:tc:SAML:2.0:metadata}:SingleLogoutService"
> http://stuff.lhunath.com/metadata-unexpected-slo.xml
> 
> As far as I can gather from the SAMLv2 Metadata specification, both 
> metadata files are valid; though perhaps I am overlooking something.

For what it's worth; it appears my metadata was missing the 
supportedProtocolsEnumeration.

idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
attributeAuthorityDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);

Adding these two resolved the issue.  I discovered the issue by validating 
the generated metadata using xmllint against the Oasis SAML Metadata schema.