SAML metadata validation try two
Brian Tingle
Brian.Tingle at ucop.edu
Thu Jun 6 23:12:20 EDT 2013
Does this every get any easier to understand? The more I look at this, the more confused I get.
How do I validate an instance of SAML metadata? I tried XML lint, and I'm getting hella errors, but they seem like errors with the schema, not my instance:
https://gist.github.com/tingletech/5726812
here is the XML metadata I'm trying to validate: does it look right if I were trying to have one entityID that is shared between -dev, -stg, and production?
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"
ID="_ae6d076f856a2002ad755a3574c7204ddc9424b4"
entityID="https://nuxeo.cdlib.org/sp"
cacheDuration="P1D"
>
<!-- 'P1D' = one day in xsd:duration, who knew? -->
<!-- xmlns:init info at http://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation-cd-01.html -->
<!-- xmlns:md info at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf -->
<md:SPSSODescriptor
protocolSupportEnumeration="
urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:1.0:protocol
"
>
<md:Extensions>
<init:RequestInitiator
Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/Login"
/><!-- if I'm using the same entityID for dev, stage, production , then what do I do in init:RequestInitiator? -->
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:KeyName>nuxeo-dev</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=nuxeo-dev</ds:X509SubjectName>
<ds:X509Certificate>MIIC4jCCAcqgAwIBAgIJAKHzEISxgVpsMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
BAMTCW51eGVvLWRldjAeFw0xMzA2MDEwMzQ5NDBaFw0yMzA1MzAwMzQ5NDBaMBQx
EjAQBgNVBAMTCW51eGVvLWRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALTNY5nzZ004HavyagcNTvHJmOlB9Tvh9xPnaGn2O92lRqMWaR3NKXMUSmnR
FjXTXYdQAnT0xkCS/Wkvur3XfzsN/c1qNlrxFRKtKOgqDDw3t6ttpCnwrxJcWIxF
F6cYTPW/E8GtimiSVv9GAYzzGmFhx+E5oeIdv6H8SiRw333cORoe5Ux4vMoTY6in
uNfecw6Fz1I5kQ/6O0kSSTGjJmIjgFQx0tpw8XJhL2E+jahu9sl3CZLYuqhsdBx9
/srtQBZ/Cem5WBUBtuFnJCiEVw4pDfTzTOe9WBCoVFDQQgOOa/wHbTD6W0kDIKWg
pF6A+ydiKE7aRpkt5Qo5NuZ9AKcCAwEAAaM3MDUwFAYDVR0RBA0wC4IJbnV4ZW8t
ZGV2MB0GA1UdDgQWBBRIbfPEefybNux8qxZ0jnw6V2/D7TANBgkqhkiG9w0BAQUF
AAOCAQEAAROxkv2qnDCmdeYr2cWCX7fO6BRMixZ1KfjUWRdMWnB79/LzZVQDnjgN
SsbYd+MDyaE5Wem67WMp2gwaEkG6bBMBxOa7YwRetPKfdw7DRJ60GXEepdECbXPU
0+TkdRWsAy5QYTotQJaA6/tc8vEAmH3l8BNo7NGCUA1bOXl3m2I+XU5b6j5GKY+e
1PuXw4V7VBEs/Myk7XZSNrEmil39l1x0cheshhLxgweb/a9xVTRSI5ZtTF0srTo8
pQv01Kmdgn6qPCI80/XRg0WWPG5lhR06Hcf9o0bhAF5HV2tdxiCQJn6ieEZ+gz/K
H+OplCprRz65+a5uj0Zv4ed77/rvXw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="0"/>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="1"/>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="2"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/Artifact"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/Artifact"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/Artifact"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/POST" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/ECP" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML/POST" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML/Artifact" index="5"/>
`
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/POST" index="6"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="7"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="8"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/ECP" index="9"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML/POST" index="10"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML/Artifact" index="11"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/POST" index="12"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="13"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="14"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/ECP" index="15"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML/POST" index="16"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML/Artifact" index="17"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130607/df0ad746/attachment-0001.html
More information about the users
mailing list