SLO Extension, IDP Metadata and xmltooling validation

Harald Strack hstrack at ssystems.de
Mon Sep 12 15:54:09 BST 2011 

Hi,

we are running shibboleeth SPs on Solaris, compiled using the following
versions of libraries and the SP itself:

apache 22
shiboleth SP-2.3.1

libxml2-2.7.6
xmltooling-1.4.1
xerces-c-3.1.1
opensaml-2.4.1
xml-security-c-1.6.0
log4shib-1.0.4

Our IDP has the hungarian SLO extension, 

https://wiki.aai.niif.hu/index.php/Single_Logout_in_Shibboleth_IdP

thus we have a few 'SingleLogoutService' entries in you IDp's metadata:

                   	 <SingleLogoutService
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://idp3.example.com/idp/profile/SAML2/Redirect/SLO"
                                ResponseLocation="https://idp3.example.com/idp/profile/SAML2/Redirect/SLO" />

                        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://idp3.example.com/idp/profile/SAML2/POST/SLO"
                                ResponseLocation="https://idp3.example.com/idp/profile/SAML2/POST/SLO" />

                        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                                Location="https://idp3.example.com:8443/idp/profile/SAML2/SOAP/SLO" />

Since we upgraded the libraries of the Service Provider, the SP does not
accept these Metadata entries anymore, the validation fails:

/opt/pkg/sbin/shibd -tc /usr/pkg/var/run/shibboleth/metadata.xml 

...
2011-09-09 13:44:14 ERROR XMLTooling.ParserPool : error on line 478, column 22, message: element 'SingleLogoutService' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*,ArtifactResolutionService*,SingleLogoutService*,ManageNameIDService*,NameIDFormat*,SingleSignOnService+,NameIDMappingService*,AssertionIDRequestService*,AttributeProfile*,Attribute*)'
...

It says 'SingleLogoutService' is not allowed, but says also that
SingleLogoutService* is in the content model!? I read anywhere in an old
post, that the new opensaml libraries do some more strict schema
validation. However, I can't see a schema violation here - I am out of
ideas...

Any help will be greatly appreciated!

br

Harald Strack


-- 
Harald Strack, Dipl.Inf.(FH)
IT Development

ssystems
c/o todo GmbH
Alt-Moabit 60a
10555 Berlin

Tel:     +49 30 2023 6071 - 1
http://www.ssystems.de

More information about the users mailing list