SAML metadata validation try two

Brian Tingle Brian.Tingle at ucop.edu
Thu Jun 6 23:12:20 EDT 2013 

Does this every get any easier to understand?  The more I look at this, the more confused I get.

How do I validate an instance of SAML metadata?  I tried XML lint, and I'm getting hella errors, but they seem like errors with the schema, not my instance:

https://gist.github.com/tingletech/5726812

here is the XML metadata I'm trying to validate: does it look right if I were trying to have one entityID that is shared between -dev, -stg, and production?


<md:EntityDescriptor
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"

  ID="_ae6d076f856a2002ad755a3574c7204ddc9424b4"
  entityID="https://nuxeo.cdlib.org/sp"
  cacheDuration="P1D"
>
  <!-- 'P1D' = one day in xsd:duration, who knew? -->
  <!-- xmlns:init info at http://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation-cd-01.html -->
  <!-- xmlns:md info at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf -->
  <md:SPSSODescriptor
    protocolSupportEnumeration="
      urn:oasis:names:tc:SAML:2.0:protocol
      urn:oasis:names:tc:SAML:1.1:protocol
      urn:oasis:names:tc:SAML:1.0:protocol
    "
  >
    <md:Extensions>
      <init:RequestInitiator
        Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
        Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/Login"
      /><!-- if I'm using the same entityID for dev, stage, production , then what do I do in init:RequestInitiator? -->
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo>
        <ds:KeyName>nuxeo-dev</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=nuxeo-dev</ds:X509SubjectName>
          <ds:X509Certificate>MIIC4jCCAcqgAwIBAgIJAKHzEISxgVpsMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
BAMTCW51eGVvLWRldjAeFw0xMzA2MDEwMzQ5NDBaFw0yMzA1MzAwMzQ5NDBaMBQx
EjAQBgNVBAMTCW51eGVvLWRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALTNY5nzZ004HavyagcNTvHJmOlB9Tvh9xPnaGn2O92lRqMWaR3NKXMUSmnR
FjXTXYdQAnT0xkCS/Wkvur3XfzsN/c1qNlrxFRKtKOgqDDw3t6ttpCnwrxJcWIxF
F6cYTPW/E8GtimiSVv9GAYzzGmFhx+E5oeIdv6H8SiRw333cORoe5Ux4vMoTY6in
uNfecw6Fz1I5kQ/6O0kSSTGjJmIjgFQx0tpw8XJhL2E+jahu9sl3CZLYuqhsdBx9
/srtQBZ/Cem5WBUBtuFnJCiEVw4pDfTzTOe9WBCoVFDQQgOOa/wHbTD6W0kDIKWg
pF6A+ydiKE7aRpkt5Qo5NuZ9AKcCAwEAAaM3MDUwFAYDVR0RBA0wC4IJbnV4ZW8t
ZGV2MB0GA1UdDgQWBBRIbfPEefybNux8qxZ0jnw6V2/D7TANBgkqhkiG9w0BAQUF
AAOCAQEAAROxkv2qnDCmdeYr2cWCX7fO6BRMixZ1KfjUWRdMWnB79/LzZVQDnjgN
SsbYd+MDyaE5Wem67WMp2gwaEkG6bBMBxOa7YwRetPKfdw7DRJ60GXEepdECbXPU
0+TkdRWsAy5QYTotQJaA6/tc8vEAmH3l8BNo7NGCUA1bOXl3m2I+XU5b6j5GKY+e
1PuXw4V7VBEs/Myk7XZSNrEmil39l1x0cheshhLxgweb/a9xVTRSI5ZtTF0srTo8
pQv01Kmdgn6qPCI80/XRg0WWPG5lhR06Hcf9o0bhAF5HV2tdxiCQJn6ieEZ+gz/K
H+OplCprRz65+a5uj0Zv4ed77/rvXw==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="0"/>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="1"/>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo.cdlib.org/Shibboleth.sso/Artifact/SOAP" index="2"/>

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SLO/Artifact"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SLO/Artifact"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SLO/Artifact"/>

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/POST" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML/POST" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo-dev.cdlib.org/Shibboleth.sso/SAML/Artifact" index="5"/>
`
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/POST" index="6"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="7"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="8"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML2/ECP" index="9"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML/POST" index="10"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo-stg.cdlib.org/Shibboleth.sso/SAML/Artifact" index="11"/>

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/POST" index="12"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="13"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/Artifact" index="14"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML2/ECP" index="15"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML/POST" index="16"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://nuxeo.cdlib.org/Shibboleth.sso/SAML/Artifact" index="17"/>

  </md:SPSSODescriptor>

</md:EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130607/df0ad746/attachment-0001.html

More information about the users mailing list