ADFS with shib SP metadata problem
Peter Schober
peter.schober at univie.ac.at
Mon May 11 11:36:19 EDT 2015
* Luke Alexander <luke at brandwatch.com> [2015-05-11 16:54]:
> > So I'd doubt you signing the metadata (and trying to feed that to
> > MS-ADFS) actually makes any sense.
>
> Yeah, I agree, though it looks to me like ADFS will likely accept the
> metadata file if it is well formed _and_ has a valid signature - even if
> the signature itself doesn't give additional trust...
The question is not whether you can get MS-ADFS to accept signed
metadata but whether that makes any sense/difference.
> shib-metagen -2AOLN -o Brandwatch -c /etc/shibboleth/sp-cert.pem -h \
> 'sp.brandwatch.com' > Metadata.script
[...]
> INFO XmlSecTool - Reading XML document from file 'Metadata.script'
> [Fatal Error] :1:70: The prefix "md" for element "md:EntityDescriptor" is not bound.
> ERROR XmlSecTool - XML document was not well formed
You're telling metagen.sh (or shib-metagen on Debian and derivatives)
to drop namespace declarations in the generated XML (-O). When those
don't come from somewhere else the above will happen. So don't use -O
unless you intend to minimize the XML and will include nsdecls elsewere.
-peter
More information about the users
mailing list