Possible bug with Shib IdP v4.0.0

Ian Young ian at iay.org.uk
Sat Apr 18 13:35:16 EDT 2020

> On 2020-04-18, at 16:37, Mak, Steve <makst at upenn.edu> wrote:
> When I run:
> xmllint --noout --schema saml-schema-metadata-2.0.xsd sp.xml
> It validates if I pull down the xsd files it needs.  But maybe I'm doing something wrong here.

You're not doing anything wrong there, it's just not sufficient.

As I mentioned before, there are SAML-specific rules that are not covered by the schema. In particular, it's a general rule that SAML elements can't be empty (and we apply that same rule to elements in SAML metadata). By definition, if a rule isn't encoded in the schema (and this one isn't) then it's beyond the reach of xmllint or anything else that just does schema validation.

SAML software can perform that additional checking, but not all SAML software does. I don't know of a publicly available checking tool for this specific issue, although (for example) if you submitted that metadata to (at least) the UK federation for publication, the issue would be flagged.

Anyway, something like this should resolve your issue:

<ServiceName xml:lang="en">a name for the service goes here</ServiceName>

Let us know if that helps.

    -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200418/c526c24d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200418/c526c24d/attachment.p7s>

More information about the users mailing list