Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shibboleth won't accept signed metadata #244

Closed
soupmatt opened this issue Jun 26, 2015 · 1 comment
Closed

Shibboleth won't accept signed metadata #244

soupmatt opened this issue Jun 26, 2015 · 1 comment

Comments

@soupmatt
Copy link
Contributor

Using both version v0.9.2 and current master (04659e5), I cannot get a shibboleth IdP to validate my metadata.xml when I sign it. As I investigated this, it turns out the KeyDescriptor elements that are put inside the SPSSODescriptor aren't allowed by the xml schema. The ones inside the Signature element are fine.

Upon further investigation, it seems as if the metadata xsd included in ruby-saml has two additional lines in it that aren't present in the versions of the xsd that is packaged by shibboleth, php-saml and python-saml. The links lead to the relevant section of the xsd file in each projects' source tree. I used the latest release tags for each link.

Now, if there are installations that look for and benefit from these KeyDescriptors being included, then perhaps a config switch to take them would be in order. Otherwise, I propose they be removed. I am happy to contribute a pull request to either end.
@iyerk0
Copy link

iyerk0 commented Jun 29, 2015

I verify this issue exists. I have also had a tough time importing a valid sp metadata xml into various IDPs. Current hack is that I manually edit the exported xml from ruby-saml and re-order the elements to get the validation to pass in the IDP.
It is definitely a nasty blocker for people new to ruby saml
Request a fix for this

ylansegal added a commit to ylansegal/ruby-saml that referenced this issue Aug 11, 2015
@ylansegal
Merge remote-tracking branch 'upstream/master' into feature/jruby_sup…
32419b1 
…port_0.9_rebase

* upstream/master: (47 commits)
  Handle empty URI references as per http://www.w3.org/TR/xmldsig-core/#sec-Same-Document; thx to @sixto for resolving a test case failure.
  support nameid in attribute values
  first attempt at adding support for scoped attributes needs additional work and tests
  Add some documentation about the soft setting parameter
  Update readme.md for 1.0.0 release
  Update date of the 1.0.0 release
  Update Readme and changelog
  Security improvement: Avoid entity expansion (XEE attacks)
  According to the xsd, the issuer has to be before the status
  Update changelog
  Fix SAML-Toolkits#244, related to PR SAML-Toolkits#243. Fix bug on metadata. Reorder KeyDescriptors
  Add logging information to README
  Allow logging to be delegated to an arbitrary Logger.
  Add tests for existing Logging functionality
  no more silent failure fetching idp metadata
  fix schema validation errors in service provider metadata
  tests to validate service provider metadata xml against the schema
  ignore gemfile.lock files in the gemfiles directory
  Prepare 1.0.0 release
  Improve compatibility with namespaces
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@soupmatt @iyerk0