EntityID Missing From IDP-metadata.xml

Peter Schober peter.schober at univie.ac.at
Wed Oct 26 16:19:28 UTC 2022

* Matt Swann via users <users at shibboleth.net> [2022-10-26 17:32]:
> " Complete: SAML job failed, Reason: IdP metadata downloaded from the
> provided URL does not have the "entityID" attribute with namespace
> "urn:oasis:names:tc:SAML:2.0:metadata". [12320809]"
> I confirmed that the SP and my server that hosts Shibboleth are
> successfully talking and the SP can download the metadata but I'm missing
> the entityID somewhere within the idp.metadata.xml.

It's clearly there in what you pasted. Right after a validUntil XML
attribute with a data in the past, though.
(So that may be the actual issue: Maybe the SAML implementation trying
to consume that metadata actually pays attention to validUntil -- as
mandated by the SAML specification -- and this causes the import to
fail, though that would be a very unfortunate error message, then.)

> I tried placing it between <Extensions> </Extensions>, however

No. You'll never get anywhere just by guessing how SAML 2.0 Metadata
should look like or whether it's valid. Look at the SAML 2.0 Metadata
specification in prose form:
or at the XSD (which is almost human-readable).
You can validate the metadata using e.g. xmllint or better yet using
XmlSecTool from the Shibboleth project.

Of course simply searching for the string "entityID" in your
idp-metadata.xml (e.g. on your IDP server or after having opened the
URL to it on your web browser) would have shown that it is in fact


More information about the users mailing list