ADFS with shib SP metadata problem

Luke Alexander luke at
Mon May 11 11:04:24 EDT 2015

On Mon, May 11, 2015 at 03:53:38PM +0100, Luke Alexander wrote:
> > 
> > Maybe that's just the consequence of the incorrect element referenced
> > in the xmlsec1 command line. Also you can probbaly forgo signing
> > completely. Finally try XmlSecTool which this group can support.
> I've now used the xmlsectool, it too finds the metadata to be invalid,
> it also finds the staging SP metadata to be valid, so that fits with
> ADFS, too.
> Given that the metadata signature is invalid for our production SP I
> assumed that creating a new metadata file using the shib-metagen script
> would be simply:
> shib-metagen -2AOLN -o Brandwatch -c /etc/shibboleth/sp-cert.pem -h \
> '' > Metadata.script
> --certificate /etc/shibboleth/sp-cert.pem --key \
> /etc/shibboleth/sp-key.pem --sign --inFile Metadata.script --outFile \
> Metadata.xml
> But that gives:
> INFO  XmlSecTool - Reading XML document from file 'Metadata.script'
> [Fatal Error] :1:70: The prefix "md" for element "md:EntityDescriptor" is not bound.
> ERROR XmlSecTool - XML document was not well formed
> org.xml.sax.SAXParseException: The prefix "md" for element "md:EntityDescriptor" is not bound.
> 	at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) ~[na:na]
> 	at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) ~[na:na]
> 	at javax.xml.parsers.DocumentBuilder.parse(Unknown Source) ~[na:1.4.01]
> 	at [xmlsectool-1.2.0.jar:na]
> 	at [xmlsectool-1.2.0.jar:na]
> Once again, thanks for your help with this!
> Luke

You can ignore this last request for help, I managed to get xmlsectool
to sign the metadata by adding the bindings for the md and ds prefixes
- the metadata is now signed again so I'll pass it to the client!

Many thanks for your help on this, Peter and Scott.


More information about the users mailing list