EntityID Missing From IDP-metadata.xml
Peter Schober
peter.schober at univie.ac.at
Wed Oct 26 16:19:28 UTC 2022
* Matt Swann via users <users at shibboleth.net> [2022-10-26 17:32]:
> " Complete: SAML job failed, Reason: IdP metadata downloaded from the
> provided URL does not have the "entityID" attribute with namespace
> "urn:oasis:names:tc:SAML:2.0:metadata". [12320809]"
>
> I confirmed that the SP and my server that hosts Shibboleth are
> successfully talking and the SP can download the metadata but I'm missing
> the entityID somewhere within the idp.metadata.xml.
It's clearly there in what you pasted. Right after a validUntil XML
attribute with a data in the past, though.
(So that may be the actual issue: Maybe the SAML implementation trying
to consume that metadata actually pays attention to validUntil -- as
mandated by the SAML specification -- and this causes the import to
fail, though that would be a very unfortunate error message, then.)
> I tried placing it between <Extensions> </Extensions>, however
No. You'll never get anywhere just by guessing how SAML 2.0 Metadata
should look like or whether it's valid. Look at the SAML 2.0 Metadata
specification in prose form:
http://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf
or at the XSD (which is almost human-readable).
You can validate the metadata using e.g. xmllint or better yet using
XmlSecTool from the Shibboleth project.
Of course simply searching for the string "entityID" in your
idp-metadata.xml (e.g. on your IDP server or after having opened the
URL to it on your web browser) would have shown that it is in fact
present.
-peter
More information about the users
mailing list