shibboleth-dev - A problem with IdP metadata generated by TESTSHIB TWO
Subject: Shibboleth Developers
List archive
- From: "Jie Lv" <>
- To: <>
- Subject: A problem with IdP metadata generated by TESTSHIB TWO
- Date: Wed, 5 Mar 2008 15:02:00 +0800
|
Hi folks, After some trials and errors, I’ve successfully set
up an IdP and an SP. The IdP retrieves user attributes from an LDAP server, and
passes them to the SP. Then those attributes are delivered to a small Java Web
Application that I’ve written. During my installation process, I found there seemed
to be something wrong with the metadata generated by TESTSHIB TWO. For example, after I registered “idp.ccnet.pku.edu.cn”,
the metadata was as follows: <?xml
version="1.0" encoding="UTF-16"?> <md:EntityDescriptor
entityID="https://idp.ccnet.pku.edu.cn/idp/shibboleth"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:Extensions>
<saml1md:Scope
xmlns:saml1md="urn:mace:shibboleth:metadata:1.0">ccnet.pku.edu.cn</saml1md:Scope>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIID2zCCAsOgAwIBAgIBATANBgkqhkiG9w0BAQQFADBXMREwDwYDVQQKEwhUZXN0U2hpYjEjMCEG A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxHTAbBgNVBAMTFGlkcC5jY25ldC5wa3Uu ZWR1LmNuMB4XDTA4MDIyNjAwNDYxN1oXDTEwMDIyNjAwNDYxN1owVzERMA8GA1UEChMIVGVzdFNo aWIxIzAhBgNVBAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMR0wGwYDVQQDExRpZHAuY2Nu ZXQucGt1LmVkdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIiOsZe8IluqCbaj VqSH1pldr7hbZ2HF863cVMop43XErJbVfg2uPcGZNdg1Ypdg1aDeh/JqxepHYx2we6n0AydSEtY9 LAx7wHn snz6CHFsaIULQYCkrwaj+UQLq3Rsuui/l1JSVrRG2u3EoiDOnYzET5YAB7klwF /Jcvcb7MefaG5QKOF57Dbe8taZhG2Tm3y75JgpWIizgweidbQhLpcS2v bM5+Ndwe9CbiOU1ab0fTWDUCAwEAAaOBsTCBrjAdBgNVHQ4EFgQUEGB8HgH7EwnZ/dG4lBJLabrB 5SkwfwYDVR0jBHgwdoAUEGB8HgH7EwnZ/dG4lBJLabrB5SmhW6RZMFcxETAPBgNVBAoTCFRlc3RT aGliMSMwIQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEdMBsGA1UEAxMUaWRwLmNj bmV0LnBrdS5lZHUuY26CAQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAZ247X7CU M0GVCZbOseyD2W0IDlfgI2p9DgKalxiwR3E4LoinJtzMhyVGbO8J6s9hFGd3tVkp+TI7GitP5PE7 sxPSgxUy/DzM/75ELEZXeW7esQ1CJgxjxcebgZFy4HrrNYROnEPbwhNlgPkWvX+5v6kUFBDx9roh 8cFsXooZ8TaiuBoQaWyVoDnVbE9fozGG86DIMptIk7mdvNXwEcuy/Vmomb1Uq30yVbJzm KRKaE8qX/nVJKVbG 28Dbmx5VaZkfyBvyhoAaTbPyJWc2mQ== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://idp.ccnet.pku.edu.cn:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.ccnet.pku.edu.cn:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://idp.ccnet.pku.edu.cn/idp/profile/Shibboleth/SSO"/>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.ccnet.pku.edu.cn/idp/profile/SAML2/POST/SSO"/>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.ccnet.pku.edu.cn/idp/profile/SAML2/Redirect/SSO"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:Extensions>
<saml1md:Scope
xmlns:saml1md="urn:mace:shibboleth:metadata:1.0">ccnet.pku.edu.cn</saml1md:Scope>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIID2zCCAsOgAwIBAgIBATANBgkqhkiG9w0BAQQFADBXMREwDwYDVQQKEwhUZXN0U2hpYjEjMCEG A1UEAxMaVGVzdFNoaWIgSWRlbnRpdHkgUHJvdmlkZXIxHTAbBgNVBAMTFGlkcC5jY25ldC5wa3Uu ZWR1LmNuMB4XDTA4MDIyNjAwNDYxN1oXDTEwMDIyNjAwNDYxN1owVzERMA8GA1UEChMIVGVzdFNo aWIxIzAhBgNVBAMTGlRlc3RTaGliIElkZW50aXR5IFByb3ZpZGVyMR0wGwYDVQQDExRpZHAuY2Nu ZXQucGt1LmVkdS5jbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIiOsZe8IluqCbaj VqSH1pldr7hbZ2HF863cVMop43XErJbVfg2uPcGZNdg1Ypdg1aDeh/JqxepHYx2we6n0AydSEtY9 LAx7wHn snz6CHFsaIULQYCkrwaj+UQLq3Rsuui/l1JSVrRG2u3EoiDOnYzET5YAB7klwF /Jcvcb7MefaG5QKOF57Dbe8taZhG2Tm3y75JgpWIizgweidbQhLpcS2v bM5+Ndwe9CbiOU1ab0fTWDUCAwEAAaOBsTCBrjAdBgNVHQ4EFgQUEGB8HgH7EwnZ/dG4lBJLabrB 5SkwfwYDVR0jBHgwdoAUEGB8HgH7EwnZ/dG4lBJLabrB5SmhW6RZMFcxETAPBgNVBAoTCFRlc3RT aGliMSMwIQYDVQQDExpUZXN0U2hpYiBJZGVudGl0eSBQcm92aWRlcjEdMBsGA1UEAxMUaWRwLmNj bmV0LnBrdS5lZHUuY26CAQEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAZ247X7CU M0GVCZbOseyD2W0IDlfgI2p9DgKalxiwR3E4LoinJtzMhyVGbO8J6s9hFGd3tVkp+TI7GitP5PE7 sxPSgxUy/DzM/75ELEZXeW7esQ1CJgxjxcebgZFy4HrrNYROnEPbwhNlgPkWvX+5v6kUFBDx9roh 8cFsXooZ8TaiuBoQaWyVoDnVbE9fozGG86DIMptIk7mdvNXwEcuy/Vmomb1Uq30yVbJzm KRKaE8qX/nVJKVbG 28Dbmx5VaZkfyBvyhoAaTbPyJWc2mQ== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo> </md:KeyDescriptor>
<md:AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://idp.ccnet.pku.edu.cn:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.ccnet.pku.edu.cn:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
</md:AttributeAuthorityDescriptor>
<md:Organization
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:OrganizationName xml:lang="en">IdP at
ccnet.pku.edu.cn</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">IdP at
ccnet.pku.edu.cn</md:OrganizationDisplayName>
<md:OrganizationURL
xml:lang="en">https://ccnet.pku.edu.cn/</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:GivenName>Jie</md:GivenName>
<md:SurName>Lv </md:SurName>
<md:EmailAddress></md:EmailAddress>
</md:ContactPerson> </md:EntityDescriptor> There were 2 lines of “<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>”
in the element <md:IDPSSODescriptor>, and there was no < md:NameIDFormat
> in the element <md:AttributeAuthorityDescriptor>. When this metadata was used, in idp-process.log I got something
like: Error:
[edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2.ProfileHandler:702]:
No principal attribute supported encoding into a supported nameID format. I had to manually delete 1 “<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>”
from the element <md:IDPSSODescriptor> and added 1 to < md:AttributeAuthorityDescriptor>.
Then this problem was solved. Was it just me, or someone else have also met similar
problems? If it is the latter, there must be something wrong
with the code generating IdP metadata in TESTSHIB TWO. Besides, I couldn’t find the link to download
the metadata. Is there such a link on www.testshib.org? Jie Lv |
- A problem with IdP metadata generated by TESTSHIB TWO, Jie Lv, 03/05/2008
- Re: A problem with IdP metadata generated by TESTSHIB TWO, Nate Klingenstein, 03/05/2008
- Re: A problem with IdP metadata generated by TESTSHIB TWO, Tom Scavo, 03/05/2008
- Re: A problem with IdP metadata generated by TESTSHIB TWO, Chad La Joie, 03/05/2008
Archive powered by MHonArc 2.6.16.