ADFS with shib SP metadata problem
Peter Schober
peter.schober at univie.ac.at
Mon May 11 08:32:06 EDT 2015
* Luke Alexander <luke at brandwatch.com> [2015-05-11 14:02]:
> https://social.msdn.microsoft.com/Forums/vstudio/en-US/75d52ee8-4b2e-4a0a-9011-fa44827b6d32/an-error-occurred-during-an-attempt-to-read-the-federation-metadata-verify-that-the-specified-url?forum=Geneva
I see nothing in there that would hint at a problem with the metadata
you provided:
"Error message: The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel."
But then I don't know anything about MS-ADFS.
Possibly it tries to connect to the URL that is your entityID value
and failes (which could have many reasons). Whether it should do that
in the first place and how to disable that are all questions for a
different forum.
First I'd probably wanted to find out where it tried to connect.
> Our metadata for both SP servers was built by using the /Metadata
> end point and then editing as required, running a diff against the
> metadata shows the only differences are the embedded certs and any
> location specific attributes.
>
> This is the same metadata file we have used for other (non ADFS) clients
> without problem.
>
> I have tried creating a new metadata file using the meta-shib script,
> but they see a slightly different error with that.
What was the other error message? Not that it's an error from
Shibboleth software, so it seems your question what the error message
means should be targeted at the vendor of the system that produced the
error message?
> I am unable to verify the metadata against any online tool I've found or
> by using xmlsec tool (this is the same for staging and production
> metadata).
You certainly can test well-formedness and schema-validity, but if the
Shib SP produced not well-formed or schema-invalid SAML metadata, that
would be a bug, of course. (Which is somewhat unlikely as I recall no
reports of that happening, ever, basically.)
I doubt you're signing your SAML metadata (or that MS-ADFS know what
to do with that), but if you do, you can also perform signature
validation.
You'll find links to any of those checks at
https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness
If you ask specific questions ("unable to validate using any tool"
isn't a technical error report) you'll also get more useful answers.
Assuming xmlsec means https://www.aleksey.com/xmlsec/ try XmlSecTool
from the Contributed secion in the shib wiki.
But I think this has nothing to do with incorrect SAML metadata, and
everything to do with how (what) MS-ADFS is set up (to do).
-peter
More information about the users
mailing list