EntityID Missing From IDP-metadata.xml
Matt Swann
mswann090 at gmail.com
Wed Oct 26 15:31:37 UTC 2022
Hey Everyone,
When inputting the IdP URI into my SP (ONTAP), I receive the following
error.
" Complete: SAML job failed, Reason: IdP metadata downloaded from the
provided URL does not have the "entityID" attribute with namespace
"urn:oasis:names:tc:SAML:2.0:metadata". [12320809]"
I confirmed that the SP and my server that hosts Shibboleth are
successfully talking and the SP can download the metadata but I'm missing
the entityID somewhere within the idp.metadata.xml. I tried placing it
between <Extensions> </Extensions>, however, that caused the SP to not have
the ability to download the metadata.
I pasted my idp-metadata.xml below but just took out some
environment specific details.
I appreciate any insight yall may be able to provide.
<?xml version="1.0" encoding="UTF-8"?>
<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
This metadata is not dynamic - it will not change as your
configuration changes.
-->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="
http://www.w3.org/XML/1998/namespace"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr"
validUntil="2022-08-25T17:27:44.480Z" entityID="
https://Test.com/shibboleth/idp">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<Extensions>
<shibmd:Scope regexp="false">.com</shibmd:Scope>
Fill in the details for your IdP here
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">Test (display
Name)</mdui:DisplayName>
<mdui:Description xml:lang="en">Test
(Description)</mdui:Description>
<mdui:Logo height="80" width="80">
https://Test.com/shibboleth/idp/Path/To/Logo.png</mdui:Logo>
</mdui:UIInfo>
</Extensions>
<!-- First signing certificate is BackChannel, the Second is
FrontChannel -->
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
k=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="
https://Test.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
<ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://
Test.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
<!--
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https:// Test.com/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://Test.com/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://Test.com/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://Test.com:8443/idp/profile/SAML2/SOAP/SLO"/>
-->
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="
https://Test.coml/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
req-attr:supportsRequestedAttributes="true" Location="
https://Test.com/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
req-attr:supportsRequestedAttributes="true"
Location="Test.com/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
req-attr:supportsRequestedAttributes="true" Location="
https://Test.com/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<shibmd:Scope regexp="false">.com</shibmd:Scope>
</Extensions>
<!-- First signing certificate is BackChannel, the Second is
FrontChannel -->
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="
https://Test.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<!-- <AttributeService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
https://Test.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/> -->
<!-- If you uncomment the above you should add
urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration
above -->
</AttributeAuthorityDescriptor>
</EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221026/2ac66481/attachment.htm>
More information about the users
mailing list