Possible bug with Shib IdP v4.0.0

Ian Young ian at iay.org.uk
Sat Apr 18 07:10:07 EDT 2020

> On 2020-04-18, at 12:03, Ian Young <ian at iay.org.uk> wrote:
> If you don't have ServiceName, you should omit the element.

Peter correctly points out that I am wrong: you can't omit ServiceName, as that would make the metadata schema-invalid. You should just remove the entire AttributeConsumingService if you don't need that.

There are two different kind of problem we're discussing here:

* Schema validity, which says what an AttributeConsumingService element needs to contain. You should schema-validate your metadata to avoid this kind of problem.

* Additional SAML rules (in particular the general one that SAML-defined elements and attributes can't be empty) which the software sometimes checks independently of schema validity.

    -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200418/0d1303f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200418/0d1303f2/attachment.p7s>

More information about the users mailing list