ADFS with shib SP metadata problem

Luke Alexander luke at brandwatch.com
Mon May 11 08:01:46 EDT 2015 

Hi,

We are trying to integrate our app with one of our clients who uses
ADFS, they have successfully imported our metadata for our staging
system into their staging ADFS but they are unable to import our
production metadata into their production ADFS, the error they get is:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/75d52ee8-4b2e-4a0a-9011-fa44827b6d32/an-error-occurred-during-an-attempt-to-read-the-federation-metadata-verify-that-the-specified-url?forum=Geneva

Our metadata for both SP servers was built by using the /Metadata end
point and then editing as required, running a diff against the metadata
shows the only differences are the embedded certs and any location
specific attributes.

This is the same metadata file we have used for other (non ADFS) clients
without problem.

I have tried creating a new metadata file using the meta-shib script,
but they see a slightly different error with that.

I am unable to verify the metadata against any online tool I've found or
by using xmlsec tool (this is the same for staging and production
metadata).

We are running the following versions on Debian Wheezy:

ii  libapache2-mod-shib2                2.5.3+dfsg-2~bpo70+1          amd64        Federated web single sign-on system (Apache module)
ii  liblog4shib1:amd64                  1.0.4-1                       amd64        log4j-style configurable logging library for C++ (runtime)
ii  libshibsp-plugins:amd64             2.5.3+dfsg-2~bpo70+1          amd64        Federated web single sign-on system (plugins)
ii  libshibsp5:amd64                    2.4.3+dfsg-5+deb7u1           amd64        Federated web single sign-on system (runtime)
ii  libshibsp6:amd64                    2.5.3+dfsg-2~bpo70+1          amd64        Federated web single sign-on system (runtime)
ii  shibboleth-sp2-common               2.5.3+dfsg-2~bpo70+1          all          Federated web single sign-on system (common files)
ii  shibboleth-sp2-schemas              2.5.3+dfsg-2~bpo70+1          all          Federated web single sign-on system (transitional package)
ii  shibboleth-sp2-utils                2.5.3+dfsg-2~bpo70+1          amd64        Federated web single sign-on system (daemon and utilities)

Any help or guidance with this issue would be greatly appreciated.

Regards,
Luke

More information about the users mailing list