Trust Relationship metadata validation errors - Tableau integration

By: Lindsay Weir user 26 Jul 2022 at 6:33 p.m. CDT

9 Responses
Lindsay Weir gravatar
I am configuring Site SAML integration from Tableau. We have had this running on 3.x servers and am upgrading to Gluu 4.4.0. When creating a Trust Relationship and importing the saml_sp_metadata.xml file that is exported from Tableau we get the following errors: 2022-07-26 22:20:39 : ERROR : cvc-attribute.3: The value '18006590-fa95-434a-aae9-89becbce8714' of attribute 'ID' on element 'md:EntityDescriptor' is not valid with respect to its type, 'ID'. 2022-07-26 22:20:39 : ERROR : cvc-datatype-valid.1.2.1: '18006590-fa95-434a-aae9-89becbce8714' is not a valid value for 'NCName'. The entityID format has not changed from what is generated from Tableau and this had not issues being imported previously. This is an example of the saml_sp_metadata.xml file being imported with keys and URL's modified. ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="18006590-fa95-434a-aae9-89becbce8714" entityID="https://mysite.local/samlservice/public/sp/metadata?alias=18006590-fa95-434a-aae9-89becbce8714"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>XXXXX</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>YYYY</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mysite.local/samlservice/public/sp/SLO?alias=18006590-fa95-434a-aae9-89becbce8714"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mysite.local/samlservice/public/sp/SSO?alias=18006590-fa95-434a-aae9-89becbce8714" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor> ```
Gluu 4.4 CentOS 7.8
closed

Answers

By Mohib Zico Account Admin 26 Jul 2022 at 10:29 p.m. CDT

Copy
Mohib Zico gravatar
Can you please share full metadata without modification? We will try to create Trust relationship in our local setup. Thanks!

By Lindsay Weir user 27 Jul 2022 at 7:45 a.m. CDT

Copy
Lindsay Weir gravatar
If you can provide a location (or email) I can send it directly to as I don't want to post it here.

By Lindsay Weir user 27 Jul 2022 at 6:33 p.m. CDT

Copy
Lindsay Weir gravatar
It appears that the ID="" attribute below cannot begin with a number. Tableau is generating this and that is what appears to be failing. The older versions were generating this ID without a numeric starting this and it would import without any issue.

By Mohib Zico Account Admin 27 Jul 2022 at 9:30 p.m. CDT

Copy
Mohib Zico gravatar
>> The older versions were generating this ID Older version of Tableau SP?

By Lindsay Weir user 27 Jul 2022 at 11:05 p.m. CDT

Copy
Lindsay Weir gravatar
Both older and latest versions of Tableau are generating the ID="" attribute. The older versions used to generate it with the following ID="https___XXXXXXX.local_samlservice_public_sp_metadata_alias_d0569a6e-9a97-4200-b94c-7aefa60ab39f" while the latest version of Tableau just generates it with: ID="d0569a6e-9a97-4200-b94c-7aefa60ab39f" Since this example starts with a "d05....." it will import into Gluu successfully. If it begins with 0-9 for the UUID, then it will fail to import and we get the error message shown initially.

By Mohib Zico Account Admin 27 Jul 2022 at 11:10 p.m. CDT

Copy
Mohib Zico gravatar
Interesting. Please share the metadata to zico@gluu.org. We will check...

By Mohib Zico Account Admin 28 Jul 2022 at 9:54 a.m. CDT

Copy
Mohib Zico gravatar
I was able to reproduce the issue. We are checking which code rejecting that, our own code or Shibboleth. Will let you know.

By Mohib Zico Account Admin 29 Jul 2022 at 11 a.m. CDT

Copy
Mohib Zico gravatar
Ok, it turned out... what Gluu Server doing is correct behavior. According to SAML standard, NCName can't contain a `:` column or begin with anything but a letter. You can check the SAML standard here: https://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-NCName

By Lindsay Weir user 29 Jul 2022 at 6:21 p.m. CDT

Copy
Lindsay Weir gravatar
Thanks for providing the link. I have created a ticket with Tableau support. We can close this ticket as Gluu is doing what it should be. Thanks.

Post an answer