ADFS with shib SP metadata problem

Peter Schober peter.schober at
Mon May 11 11:36:19 EDT 2015

* Luke Alexander <luke at> [2015-05-11 16:54]:
> > So I'd doubt you signing the metadata (and trying to feed that to
> > MS-ADFS) actually makes any sense.
> Yeah, I agree, though it looks to me like ADFS will likely accept the
> metadata file if it is well formed _and_ has a valid signature - even if
> the signature itself doesn't give additional trust...

The question is not whether you can get MS-ADFS to accept signed
metadata but whether that makes any sense/difference.

> shib-metagen -2AOLN -o Brandwatch -c /etc/shibboleth/sp-cert.pem -h \
> '' > Metadata.script

> INFO  XmlSecTool - Reading XML document from file 'Metadata.script'
> [Fatal Error] :1:70: The prefix "md" for element "md:EntityDescriptor" is not bound.
> ERROR XmlSecTool - XML document was not well formed

You're telling (or shib-metagen on Debian and derivatives)
to drop namespace declarations in the generated XML (-O). When those
don't come from somewhere else the above will happen. So don't use -O
unless you intend to minimize the XML and will include nsdecls elsewere.

More information about the users mailing list