ADFS with shib SP metadata problem

Peter Schober peter.schober at
Mon May 11 10:06:55 EDT 2015

* Luke Alexander <luke at> [2015-05-11 15:48]:
> I have attached an image which will hopefully you'll receive on the
> list?

Got it at
(Copy/pasting the actual text of the error message -- "Digest
verification failed for reference ..." -- makes things easier for
others, jfyi.)

> Yes, I've tried the aleksey online tool and the xmlsec1 command line
> tool, both say the same thing:
> xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor --pubkey-cert-pem /etc/shibboleth/sp-cert.pem sp-live_meta_url.xml 

If sp-live_meta_url.xml originally came from your Shib SP it won't
have an EntitiesDescriptor root element, only an EntitiyDescriptor
Also it won't be signed by default, so you must have changed that.

Of course signing the SP's metadata with the same cert the SP
publishes as it's truct fabric cert doesn't give any additional trust
to anyone having to validate that signature on the metadata: You
either trust the local file (containing that same key) or you don't.

Slapping a signature from that same contained key onto that metadata
will not change that. (E.g. I could easily replace the contained
certificate with my own, and sign the metadata with that key too. To
anyone needing to make decision whether to trust any of the info in
the metadata that's exactly as trustworthy as your data with the
real/correct key.

So I'd doubt you signing the metadata (and trying to feed that to
MS-ADFS) actually makes any sense.

> SignedInfo References (ok/all): 0/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "sp-live_meta_url.xml"

Maybe that's just the consequence of the incorrect element referenced
in the xmlsec1 command line. Also you can probbaly forgo signing
completely. Finally try XmlSecTool which this group can support.

More information about the users mailing list