ADFS with shib SP metadata problem

Luke Alexander luke at brandwatch.com
Mon May 11 09:48:18 EDT 2015 

On Mon, May 11, 2015 at 02:32:06PM +0200, Peter Schober wrote:
> * Luke Alexander <luke at brandwatch.com> [2015-05-11 14:02]:
> > https://social.msdn.microsoft.com/Forums/vstudio/en-US/75d52ee8-4b2e-4a0a-9011-fa44827b6d32/an-error-occurred-during-an-attempt-to-read-the-federation-metadata-verify-that-the-specified-url?forum=Geneva
> 
> I see nothing in there that would hint at a problem with the metadata
> you provided:
> 
> "Error message: The underlying connection was closed: Could not
> establish trust relationship for the SSL/TLS secure channel."
> 
> But then I don't know anything about MS-ADFS.
> Possibly it tries to connect to the URL that is your entityID value
> and failes (which could have many reasons). Whether it should do that
> in the first place and how to disable that are all questions for a
> different forum.
> First I'd probably wanted to find out where it tried to connect.

I'll ask the client about that, this is our first integration with ADFS
so we are on new grounds here, too.

> 
> > Our metadata for both SP servers was built by using the /Metadata
> > end point and then editing as required, running a diff against the
> > metadata shows the only differences are the embedded certs and any
> > location specific attributes.
> > 
> > This is the same metadata file we have used for other (non ADFS) clients
> > without problem.
> > 
> > I have tried creating a new metadata file using the meta-shib script,
> > but they see a slightly different error with that.
> 
> What was the other error message? Not that it's an error from
> Shibboleth software, so it seems your question what the error message
> means should be targeted at the vendor of the system that produced the
> error message?

Sorry, I've mislead you here, the actual error was not exactly the same
as the link I previously posted to, I was unable to find a MS link that
referenced the exact error, I have attached an image which will
hopefully you'll receive on the list?

> 
> > I am unable to verify the metadata against any online tool I've found or
> > by using xmlsec tool (this is the same for staging and production
> > metadata).
> 
> You certainly can test well-formedness and schema-validity, but if the
> Shib SP produced not well-formed or schema-invalid SAML metadata, that
> would be a bug, of course. (Which is somewhat unlikely as I recall no
> reports of that happening, ever, basically.)
> I doubt you're signing your SAML metadata (or that MS-ADFS know what
> to do with that), but if you do, you can also perform signature
> validation.
> You'll find links to any of those checks at
> https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness
> 
> If you ask specific questions ("unable to validate using any tool"
> isn't a technical error report) you'll also get more useful answers.
> 
> Assuming xmlsec means https://www.aleksey.com/xmlsec/ try XmlSecTool
> from the Contributed secion in the shib wiki.
> But I think this has nothing to do with incorrect SAML metadata, and
> everything to do with how (what) MS-ADFS is set up (to do).

Yes, I've tried the aleksey online tool and the xmlsec1 command line
tool, both say the same thing:

xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem /etc/shibboleth/sp-cert.pem sp-live_meta_url.xml 
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('_fe63ccd50e8ab6a4c9f1238a199c06f4b4222f0c'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2405:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec library function failed: 
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1236:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1296:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "sp-live_meta_url.xml"

Many thanks for responding to this, I appreciate that this is not a shibboleth software issue - it was purely a probing email to see if others had experienced similar or if anyone had further troubleshooting ideas...

Cheers,
Luke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001-new.png
Type: image/png
Size: 29282 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/46c9adb4/attachment-0001.png>

More information about the users mailing list