Invalid identity provider metadata #450
Comments
|
I've added a test and have a working version here (branched off of Basically this just reorders I found the actual problem with the original issue created is that samltest.id uses Shibboleth and I noticed your tests here that |
|
I don't want to add too much noise, but I am seeing something similar in my tests: |
|
@damionvega Please try out the latest v2.8.2 with patches. v2.8.0 and v2.8.1 has import issue after upgrading some dependencies. If the problem still exists, can you export the idp metadata (remove sensitive information for sure), I will double check the schema file. |
MetadataUsing v2.8.2 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:assertion="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml/idp/metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFszCCA5ugAwIBAgIUAcUMukYL6ovpu8T5M3oVFO/+MoswDQYJKoZIhvcNAQELBQAwTTEaMBgGA1UEAxMRVXNlcmZyb250IEFjY291bnQxGzAZBgNVBAoTEnNhbWx0ZXN0LmlkIHRlbmFudDESMBAGA1UECxMJVXNlcmZyb250MB4XDTIxMDkyMDE3NTIwNVoXDTIyMDkyMDE3NTIwNVowTTEaMBgGA1UEAxMRVXNlcmZyb250IEFjY291bnQxGzAZBgNVBAoTEnNhbWx0ZXN0LmlkIHRlbmFudDESMBAGA1UECxMJVXNlcmZyb250MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoEk4LNtXh648gck/V7Ki/mJW/eoRjZrTG/nWAZUMkKwzq2biqkWcwsKQohJbJVzUfcTm2i9kjiYZLZKQG0ELvodF5F1JQB0zURjbckihAVqJ0nFOZd4uLGXECtRXCjior7F1/4jVMY9h8gRjGy5pD2hFWITufXtkwvJxvdIPkkzjwXKgJNZP7uTmTPAELPUDJ5uw2c4FJE3mpPaw/LIHvE/5WQVaSj8Z4/OKl6iCTmu+bqu4X0Nru/ZPX05Pw233We/8nz3eHawAE1OmRxWt8Art5VrA+wkDl8YnNuvo326CoQP2Stmq45j1TVZq1FLYJU/ZP2lJ9ZdV5dovn0opEz5sKw+qMUdn+sFRYnziEZmEnNFxwLMlFK4O7NCKOVNDtILIVUDsUP1b7kqEnTWWenrCpFjwzeQw0VhmQxJQq9QsdXI9p2jKOcU3aC/zjLb71ox2J7a2BeSOUB+d5dWufw04rsM5Yz6w1ceXFER6tshV+y2oGKc8ScK0mwdnTb5LpzuPSS0cKuVVP1ALOF97/wc5MJD1MkvyreIz+erPMY5WKjefJG7oazl3/bSYtTxkzw/5jj8HEom/VdAOuIXhQfT2QlPn54S5EKMtWXIHcJ7kctEA8cuVH4Zag5eusRFeaM6lgCFFRVwpOlHjBDPDheOeSa8WcyeLVTPzOnovIUCAwEAAaOBijCBhzAdBgNVHQ4EFgQUXWaMdoKlVmG5STI40NnN7NAvsOIwCQYDVR0TBAIwADALBgNVHQ8EBAMCAvQwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMBEGCWCGSAGG+EIBAQQEAwIA9zANBgkqhkiG9w0BAQsFAAOCAgEACq/RqUYTLrj5qBoFXYCCt36QGtgqyrv9tlg1WNEkCtX3FzIubQcOB748Hu1M4Vuj0CsR9p0Qg75jK3Hca4YMsoZmAGGawuTvnfY8j4lzlpbbSIDwA84ErGRvPgcU+DW9MUv6HOZH9UoF4AQkjaUxszTkDSGivqeu60zPOq2Bp7796WNjVKm2ouAjXeUl5mncjF6fns8YaUYvxtiCbCViCM3bkk7Zgr28iZ/oTzNuyk/++9Y55KC1wXKU+c0SnzGMeghiXJoPjI/nw7ek3YdTkZeDuiUTf3KvrdRWAsxNtl6E/5Eg7NZAAlNWkuaeYkJ4OBE6ln0Pdy7xnyLPwpRevB31q58dEboqqx8u3NIPrKdKc607OovFsvIS9sZYcmL0V7VHnr/6oHG50v0UPxStzmC00/kMLlgrkc+MHpc978UMUqRtqZPDM1mp4RJ7gyeVGmDrxglN2S7oYXDZx/EXvU3jH/aFzx3ROg+JA7j1oln0wS+umBBKG5ZK5uAl1baED7oFCO88k65CH53kAHD8UuUa2p5l03eTBbEt3DMuo0L4F0j38nqNKNyt/dVFqe9jQdkQbw6fpYkRR/F9WPKvGf0PFaykkQjYujUNtz3y2Nx2unZjjdLTF5c31Tvx24hX+Ex1svV3PQgixCl7BAUYgQWufqjZZMA+neeZxMHkd/Y=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/idp/login"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/idp/login"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/idp/logout"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/idp/logout"/>
</IDPSSODescriptor>
</EntityDescriptor>Metadata modified(Moved <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:assertion="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml/idp/metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFszCCA5ugAwIBAgIUAcUMukYL6ovpu8T5M3oVFO/+MoswDQYJKoZIhvcNAQELBQAwTTEaMBgGA1UEAxMRVXNlcmZyb250IEFjY291bnQxGzAZBgNVBAoTEnNhbWx0ZXN0LmlkIHRlbmFudDESMBAGA1UECxMJVXNlcmZyb250MB4XDTIxMDkyMDE3NTIwNVoXDTIyMDkyMDE3NTIwNVowTTEaMBgGA1UEAxMRVXNlcmZyb250IEFjY291bnQxGzAZBgNVBAoTEnNhbWx0ZXN0LmlkIHRlbmFudDESMBAGA1UECxMJVXNlcmZyb250MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoEk4LNtXh648gck/V7Ki/mJW/eoRjZrTG/nWAZUMkKwzq2biqkWcwsKQohJbJVzUfcTm2i9kjiYZLZKQG0ELvodF5F1JQB0zURjbckihAVqJ0nFOZd4uLGXECtRXCjior7F1/4jVMY9h8gRjGy5pD2hFWITufXtkwvJxvdIPkkzjwXKgJNZP7uTmTPAELPUDJ5uw2c4FJE3mpPaw/LIHvE/5WQVaSj8Z4/OKl6iCTmu+bqu4X0Nru/ZPX05Pw233We/8nz3eHawAE1OmRxWt8Art5VrA+wkDl8YnNuvo326CoQP2Stmq45j1TVZq1FLYJU/ZP2lJ9ZdV5dovn0opEz5sKw+qMUdn+sFRYnziEZmEnNFxwLMlFK4O7NCKOVNDtILIVUDsUP1b7kqEnTWWenrCpFjwzeQw0VhmQxJQq9QsdXI9p2jKOcU3aC/zjLb71ox2J7a2BeSOUB+d5dWufw04rsM5Yz6w1ceXFER6tshV+y2oGKc8ScK0mwdnTb5LpzuPSS0cKuVVP1ALOF97/wc5MJD1MkvyreIz+erPMY5WKjefJG7oazl3/bSYtTxkzw/5jj8HEom/VdAOuIXhQfT2QlPn54S5EKMtWXIHcJ7kctEA8cuVH4Zag5eusRFeaM6lgCFFRVwpOlHjBDPDheOeSa8WcyeLVTPzOnovIUCAwEAAaOBijCBhzAdBgNVHQ4EFgQUXWaMdoKlVmG5STI40NnN7NAvsOIwCQYDVR0TBAIwADALBgNVHQ8EBAMCAvQwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMBEGCWCGSAGG+EIBAQQEAwIA9zANBgkqhkiG9w0BAQsFAAOCAgEACq/RqUYTLrj5qBoFXYCCt36QGtgqyrv9tlg1WNEkCtX3FzIubQcOB748Hu1M4Vuj0CsR9p0Qg75jK3Hca4YMsoZmAGGawuTvnfY8j4lzlpbbSIDwA84ErGRvPgcU+DW9MUv6HOZH9UoF4AQkjaUxszTkDSGivqeu60zPOq2Bp7796WNjVKm2ouAjXeUl5mncjF6fns8YaUYvxtiCbCViCM3bkk7Zgr28iZ/oTzNuyk/++9Y55KC1wXKU+c0SnzGMeghiXJoPjI/nw7ek3YdTkZeDuiUTf3KvrdRWAsxNtl6E/5Eg7NZAAlNWkuaeYkJ4OBE6ln0Pdy7xnyLPwpRevB31q58dEboqqx8u3NIPrKdKc607OovFsvIS9sZYcmL0V7VHnr/6oHG50v0UPxStzmC00/kMLlgrkc+MHpc978UMUqRtqZPDM1mp4RJ7gyeVGmDrxglN2S7oYXDZx/EXvU3jH/aFzx3ROg+JA7j1oln0wS+umBBKG5ZK5uAl1baED7oFCO88k65CH53kAHD8UuUa2p5l03eTBbEt3DMuo0L4F0j38nqNKNyt/dVFqe9jQdkQbw6fpYkRR/F9WPKvGf0PFaykkQjYujUNtz3y2Nx2unZjjdLTF5c31Tvx24hX+Ex1svV3PQgixCl7BAUYgQWufqjZZMA+neeZxMHkd/Y=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/idp/logout"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/idp/logout"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/idp/login"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/idp/login"/>
</IDPSSODescriptor>
</EntityDescriptor> |
|
OneLogin's validator tool (https://www.samltool.com/validate_xml.php) gave an additional error requiring With that said, I think it would be best if ordering elements could be an additional setting in |
|
@damionvega We have |
|
Yes, that would be great if we could add it to the IdP constructor. Is this something that would have to wait until v3? (I saw #451) |
|
@damionvega No need. v3 is planned to release early next year. |
Using
identityProvider.getMetadata()produces an error when attempting to upload output XML to https://samltest.id/upload.php:The text was updated successfully, but these errors were encountered: