Metadata format

Peter Schober peter.schober at univie.ac.at
Sat Sep 14 09:34:06 EDT 2013 

* Roy Spectech <roygspectech8 at gmail.com> [2013-09-13 19:27]:
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> ID="_7f02024667d46287aafdd4ecdfd0627d2010938b" entityID="
> https://app1.corp.com/Shibboleth.sso">

Why did you add the "Shibboleth.sso" part there? The software didn't
do that and it doesn't make much sense (the entityID is just a name,
and as such doesn't have to map to a Shibboleth content handler).

> </md:EntityDescriptor>
> 
> This worked just fine with our partners and customers.
> 
> Notice all the "<md:  ... </md: pairs.

The XML namespace used (and mapped to "md" above) is irrelevant here.

> We then added the endpoints and CERT for one of new customers. We generated
> their CERT  pair with KEYGEN and their metadata file with METAGEN. When we
> went to add this new meta file to the existing metadata file things blew up.

If you you mean you concatenated the two XML files together you've
generated non-well-formed (and schema invalid) XML. XML needs a common
root element, you can't have <foo></foo><foo></foo> in a single instance.

> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:
> ds="http://www.w3.org/2000/09/xmldsig#" entityID="
> https://app1.corp.com/customer2301/Shibboleth.sso">

You should start by explaining your use case and why every "customer"
would need a seperate entityID for your SP. If you did that before
please provide a pointer to the archives.

> </md:EntityDescriptor>
> 
> This metadata also has the same <md:..</md  pairs. However, none of our
> partners or customers could import the new file. All complained that the
> XML was rejected.

If you have two seperate files and one validates and the other doesn't
that would indicate the second one wasn't valid. So check for that,
with the methods the software provides, or the list of tools the
documentation mentions.

> We're using the supplied tools (keygen.sh, metagen.sh) to create
> metadatafiles for new customers (who appear as a different path in
> our application tree). We want to add the customer endpoints and
> entityID's to the main metadata file that we publish.

If you want the content of both files within a single file (why?)
you'd need to wrap them in a comon root element, an
<EntitiesDescriptor> element in this case.

> We know we have to care/craft/adjust/edit our metadata. Clearly the
> supplied tools are just a starting point, but what guides to people
> use to make sure the XML is correct for Shibboleth IdP's to
> "consume." Is there a "generic metadata file" or documented guide
> that we can refer to for this type of additional meta?

https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP

https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness

-peter

More information about the users mailing list