Shibboleth SP with Novell NAM IDP
EMP
emp618 at internode.on.net
Mon Sep 24 07:42:26 EDT 2012
Peter
Apologies, was trying to be clever and not post the whole metadata.
Metadata is below -
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="idoVlxU9PGQcCOnte4gd-LKkNi7Do"
entityID="https://idp.xxx.com/nidp/saml/metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#idoVlxU9PGQcCOnte4gd-LKkNi7Do">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue
xmlns="http://www.w3.org/2000/09/xmldsig#">kgAUFyK3dKGRlLSx21nvu4YPUl8=</DigestValue>
</ds:Reference>
</ds:SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">
ednKLvY6t1UhwVCuTLkECsBaBp1ctvTfF5zP9S/uIZSnFCW1Hly55RbP0zfgxcy4Ke/Yb7Negs/E
L1T2jciGvo9bPhs+PmC70ywDbc/eZr9PQhTEIOkB1MXxzbVrs2QxWihyRlwB3OODqGvFi3eV544v
qnRV47rwXMm1wXk4op0=
</SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:AttributeAuthorityDescriptor ID="ideEDmH.w2zeHhUrblc87wJNJrlUc"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</md:KeyDescriptor>
<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.xxx.com/nidp/saml/soap"/>
</md:AttributeAuthorityDescriptor>
<md:IDPSSODescriptor ID="idk6IcUoPtSLjspinBJrupi7R0OBs"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</md:KeyDescriptor>
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.xxx.com/nidp/saml/soap" index="0" isDefault="true"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.xxx.com/nidp/saml/sso"/>
</md:IDPSSODescriptor>
<md:SPSSODescriptor ID="idOamQsdgm1V6AcoLghPbXXRU.AFM"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
redacted certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</md:KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://idp.xxx.com/nidp/saml/spassertion_consumer" index="1"
isDefault="true"/>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.xxx.com/nidp/saml/spassertion_consumer" index="0"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">xxxd</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">xxx</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">www.xxx.com</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
Peter Schober wrote:
> * Peter Schober <peter.schober at univie.ac.at> [2012-09-24 13:31]:
>
>> * EMP <emp618 at internode.on.net> [2012-09-24 13:12]:
>>
>>> Leads me to believe the IDP Metadata is screwy, so looking at that I see -
>>>
>>> <md:IDPSSODescriptor
>>>
>> That's not valid SAML2.0 metadata.
>> https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness
>> (You're missing the enclosing EntityDescriptor.)
>>
>
> I misspoke, it's well-formed and schema valid. But without the
> EntityDescriptor you're missing the entityID and the IdP looks up
> metadata via that,
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list