Invalid Metadata on different versions of IdP

Michael Dahlberg olgamirth at gmail.com
Wed Aug 29 22:07:00 EDT 2018 

On Wed, Aug 29, 2018 at 9:39 PM Tom Scavo <trscavo at gmail.com> wrote:

> On Wed, Aug 29, 2018 at 9:25 PM Michael Dahlberg <olgamirth at gmail.com>
> wrote:
> >
> > Obviously, the metadata is found but the RP is "Unverified" because the
> profile "http://shibboleth.net/ns/profiles/saml2/sso/browser" is not
> available.
>
> No, I don't think so. Apparently the entity descriptor itself is being
> filtered.


Can you elaborate? Why would the entity descriptor be filtered?


> Can you post the metadata provider you're using to load the
> metadata?
>

This is the metadata that I'm loading for this SP.

<?xml version="1.0"?>
<md:EntityDescriptor entityID="https://admin.dc4.pageuppeople.com/"
ID="_be34e38a-6d08-4c7c-b581-7b8bbf2b3d18"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor ID="_9e800a5f-f7e2-4e5d-992a-b3e3b41766f6"
validUntil="2016-10-28T15:57:24.783Z" cacheDuration="P1DT0S"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true" WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#
"><X509Data><X509Certificate>
MIIFXjCCBEagAwIBAgIQDrnMT8UhDK/K+iKAI5VVBjANBgkqhkiG9w0BAQ0FADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA1MDkwMDAwMDBaFw0xOTA1MTQxMjAwMDBaMHQxCzAJBgNVBAYTAkFVMREwDwYDVQQIEwhWaWN0b3JpYTESMBAGA1UEBxMJTWVsYm91cm5lMR4wHAYDVQQKExVQYWdlVXAgUGVvcGxlIFB0eSBMdGQxHjAcBgNVBAMTFXNhbWwucGFnZXVwcGVvcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALg4hfXNFNipeNQihnOp//DC3lzUfuBsfzL8xvkdlfiu2vGFLEVc1UYHyNogh/pndGU6+pQDzLgV1RIUDco7GEJxVdduqgAHB0qSyj4TVbTI1VYxDwGPqoUKAH9oOzoxyRXhVlY7BBWA60OhbtUqOY/W+uEZD8iQWuC6vrhgYuChvuASphYt4YbZIUgWtgSLdPTzWtkq68Xo4ku5s2ejbKJzpEZscz7VQEWu+1WNBUoux5JoWWVU2Iwz6DzbZNctNr3VQj0WRSAdz1SuvfBc4ACULn/E/4kXkrmGmqy5+/SeUNBReAsksXGP2WQ5I4ScGuFYv+6suuxuzNqnMpCMJdsCAwEAAaOCAe4wggHqMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBSDSHvntlwb95oE3mw2COk17TgDyDAgBgNVHREEGTAXghVzYW1sLnBhZ2V1cHBlb3BsZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQ0FAAOCAQEAkx13kemM1hblvlMQot4Ve66d0s6tRm4SM3w9lCAwIJbXzq08y1rF5QU6rzU0Oq8HNLjfGFMVjkAazz3Pfr6Vx6vim7bPROKzAaMAbK8gYsBqKZEhmwWZ6Dex2h6lIsRYvtKGi7Jq/xuNhCnPqThCO5BINnXUcubPrHT2fwJt+lVjAtmiiui/oNWFutDHdOC2IPYXub8IyFENOiru8l4NZviCSpkqHvrhFThIv29BqJ7RYbQ1YdpCeILDur3vnllXVgDCfNKrqpPw1DiiOiVPBvr1Ma+0HQsRQwOE88GAcanWz42HOUCCNtXeNbLTIux+BNDLjah3GHskWyaq6m5ygA==
</X509Certificate></X509Data></KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#
"><X509Data><X509Certificate>
MIIFXjCCBEagAwIBAgIQDrnMT8UhDK/K+iKAI5VVBjANBgkqhkiG9w0BAQ0FADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA1MDkwMDAwMDBaFw0xOTA1MTQxMjAwMDBaMHQxCzAJBgNVBAYTAkFVMREwDwYDVQQIEwhWaWN0b3JpYTESMBAGA1UEBxMJTWVsYm91cm5lMR4wHAYDVQQKExVQYWdlVXAgUGVvcGxlIFB0eSBMdGQxHjAcBgNVBAMTFXNhbWwucGFnZXVwcGVvcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALg4hfXNFNipeNQihnOp//DC3lzUfuBsfzL8xvkdlfiu2vGFLEVc1UYHyNogh/pndGU6+pQDzLgV1RIUDco7GEJxVdduqgAHB0qSyj4TVbTI1VYxDwGPqoUKAH9oOzoxyRXhVlY7BBWA60OhbtUqOY/W+uEZD8iQWuC6vrhgYuChvuASphYt4YbZIUgWtgSLdPTzWtkq68Xo4ku5s2ejbKJzpEZscz7VQEWu+1WNBUoux5JoWWVU2Iwz6DzbZNctNr3VQj0WRSAdz1SuvfBc4ACULn/E/4kXkrmGmqy5+/SeUNBReAsksXGP2WQ5I4ScGuFYv+6suuxuzNqnMpCMJdsCAwEAAaOCAe4wggHqMB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBSDSHvntlwb95oE3mw2COk17TgDyDAgBgNVHREEGTAXghVzYW1sLnBhZ2V1cHBlb3BsZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQ0FAAOCAQEAkx13kemM1hblvlMQot4Ve66d0s6tRm4SM3w9lCAwIJbXzq08y1rF5QU6rzU0Oq8HNLjfGFMVjkAazz3Pfr6Vx6vim7bPROKzAaMAbK8gYsBqKZEhmwWZ6Dex2h6lIsRYvtKGi7Jq/xuNhCnPqThCO5BINnXUcubPrHT2fwJt+lVjAtmiiui/oNWFutDHdOC2IPYXub8IyFENOiru8l4NZviCSpkqHvrhFThIv29BqJ7RYbQ1YdpCeILDur3vnllXVgDCfNKrqpPw1DiiOiVPBvr1Ma+0HQsRQwOE88GAcanWz42HOUCCNtXeNbLTIux+BNDLjah3GHskWyaq6m5ygA==
</X509Certificate></X509Data></KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="
https://admin.dc4.pageuppeople.com//gateway/SAML.aspx?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST
"
                             index="0" isDefault="true" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="
https://admin.dc4.pageuppeople.com//gateway/SAML.aspx"
                             index="1" isDefault="false" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="
https://adminuat.dc4.pageuppeople.com/gateway/SAML.aspx"
                             index="2" isDefault="false" />
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="
https://adminuat.dc4.pageuppeople.com//gateway/SAML.aspx"
                             index="3" isDefault="false" />
</md:SPSSODescriptor><md:Organization><md:OrganizationName
xml:lang="en">PageUp</md:OrganizationName><md:OrganizationDisplayName
xml:lang="en">PageUp</md:OrganizationDisplayName><md:OrganizationURL
xml:lang="en">http://www.pageuppeople.com/</md:OrganizationURL></md:Organization><md:ContactPerson
contactType="support"><md:EmailAddress>support at pageuppeople.com
</md:EmailAddress></md:ContactPerson></md:EntityDescriptor>

Does this provide any clues as to what the problem is?

Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180829/abc73a7d/attachment.html>

More information about the users mailing list