Looking at /opt/idp/conf/relying-party.xml it appears that gluu is not placing the relying party into the configurations after I've created the trust relationship in the GUI. I see no mention of the relying party URL that the metadata file specifies in /opt/idp/conf/relying-party.xml I have tried restarting tomcat after creating the GUI trust relationship but that didn't change anything.

Can you post the metadata file?

Hi Mike. It appears the error was the result of misconfiguration on my side. The reason it wasn't showing up in /opt/idp/relying-party.xml is I did not have "Configure Specific Relying Party" checked in the trust relationship. This error is gone now. (Working through other issues with the SP). I am still curious about the <md tags discrepancy. It appears as though Gluu/Shib is accepting the unmodified Oracle metadata but won't do the same for Google despite both having the <md tags. Here is the metadata in case it is still relevant: ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-26ExefWz2JzWhKUCOLspjc5BHx8-" cacheDuration="P0Y0M30DT0H0M0.0S" entityID="https://eeib-test.login.us2.oraclecloud.com/fed" validUntil="2021-09-02T17:59:23Z"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Data><dsig:X509Certificate>MIIDRzCCAi+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBGMUQwQgYDVQQDEztlZWli LXRlc3QubG9naW4udXMyLm9yYWNsZWNsb3VkLmNvbSBPSUYgU2lnbmluZyBDZXJ0 aWZpY2F0ZTAeFw0xNjA4MjcxNzU5MjNaFw0yMTA5MDIxNzU5MjNaMEYxRDBCBgNV BAMTO2VlaWItdGVzdC5sb2dpbi51czIub3JhY2xlY2xvdWQuY29tIE9JRiBTaWdu aW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA lOvPv9kH/EXzqK5aAxJniT+4dpBZCrwzUhS0FDHsioptf2b10A5LaPT6i8atAgBG p55HQC4NX4QGiMwNEc7r96v7zuLp7hpljQw3dO8z2nCa3xAwnuViaLIZGzuds1j+ bDDjxGlHCk5jrPFViaqwtUZXOIVgRyj4l4XKDO2iP45Gk/XERhgNJuxsW7cER5XP Oo9LaMUUHFQdRoCaIFpzCb7v6ehg749NSi5z80iJdpbePWE+TdIPjRZOZWyFBijw qKidtuM/s4Qo1dtNCHeOzHLgEb8n1n1qL9GSAESarMeaoTefqn0dsNfWOOSN3p8i FKu807qvthLIusyclJQ5bwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB /wQFAwMH2AAwHQYDVR0OBBYEFI/AYK578q4E226/vxeeDg8UE5ArMA0GCSqGSIb3 DQEBBAUAA4IBAQAZOiUWhyT9QGBcnC0nSotauUACuNNor8IBz2y+0KXo3CKzm/Lq tPqoor5z4i/jo5PC3e8JuOSG8vC5CKdcRQAb0sZVbTHvPEjYvdHXpF7fWMKk8n9v Z3CeCVCKSN3WUNLEOH/pcZA9PRTief8E4A1wlzDsPXc3D9hc5+mh1fU/3CXdJbcr bPIlSO1XxsXYWK+FOP4TrCII3ucDISA4dbLnU6ntv7ptCU54Xz9B4nzUj58zAxT+ wLKMz1zqxIUo0KpqgONIooe+QRPG+hzaA/5v2cv7swcVBVMIy8yh10e0VqP2W1cy ILnPvqzNh4T74pPgAPDdNuRuF+m83vdD9rmj </dsig:X509Certificate><dsig:X509IssuerSerial><dsig:X509IssuerName>CN=eeib-test.login.us2.oraclecloud.com OIF Signing Certificate</dsig:X509IssuerName><dsig:X509SerialNumber>2</dsig:X509SerialNumber></dsig:X509IssuerSerial><dsig:X509SubjectName>CN=eeib-test.login.us2.oraclecloud.com OIF Signing Certificate</dsig:X509SubjectName></dsig:X509Data></dsig:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Data><dsig:X509Certificate>MIIDTTCCAjWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBJMUcwRQYDVQQDEz5lZWli LXRlc3QubG9naW4udXMyLm9yYWNsZWNsb3VkLmNvbSBPSUYgRW5jcnlwdGlvbiBD ZXJ0aWZpY2F0ZTAeFw0xNjA4MjcxNzU5MjNaFw0yMTA5MDIxNzU5MjNaMEkxRzBF BgNVBAMTPmVlaWItdGVzdC5sb2dpbi51czIub3JhY2xlY2xvdWQuY29tIE9JRiBF bmNyeXB0aW9uIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAsPq0FratjejA8VouOLoqukk/6dL2px51tlx5O/ETeEEnYs/UHX/HLLKy qqdgAEydrcAlR6edV876gyWVZciCZm8ru6iTjn3hGMJwBw6E4WwzIKBRMABID1DW jvGgirypzHGoC5ykhc1TV1xv3PgwztQp3ezyDBS+ROCeqSWlio4DEYFJzXf8qbuX 4M7IG6mKO3pBRK1t/kQqypL45LNNPNlromKWGZPuJRoapz9qYHwOfGB1fn4Tx8kb zPMj2yFzrx9D9RttBlxDPJrVn+tJziW4PrY+kBw8FCk30BO22dZNmeTLcrzdrE7f R4y+2Ugqbtq3Dd1AmbkXky5pm6P5wwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8G A1UdDwEB/wQFAwMH2AAwHQYDVR0OBBYEFOx286m8uTZkASSoj1pabaBc7pB9MA0G CSqGSIb3DQEBBAUAA4IBAQASCw9yrE+bHWcdTHue0cloFPCVLsedt+tT2azsVsXu rjx5wiykpQ7gdNtVH3foFjpgIcREG788PSfmskuPPJmmHCq2ox+33ZNIiHXrBI5B 3LLoqfdsRgAdBJYAVrQH9L/h36q/jSptDRwawCkOJgH4Tuwtds4XEj7ulrNKGmZe SBio7L8dCGlTE8g2hltLTnMQzLWVoL+vsqZR4K+yEfMQbyahqhyGLPp6dywULuLX O9GH8GFtZoDFgEw3Phd5KucUiN6dDZY3EPFvNm+h4gPB2VgzZRrRNlVeEsYZBu/a nS8DfPLMNgW/mfV8AKzU7iRgfzTwtWGQq7Q1a/LhEYjI </dsig:X509Certificate><dsig:X509IssuerSerial><dsig:X509IssuerName>CN=eeib-test.login.us2.oraclecloud.com OIF Encryption Certificate</dsig:X509IssuerName><dsig:X509SerialNumber>3</dsig:X509SerialNumber></dsig:X509IssuerSerial><dsig:X509SubjectName>CN=eeib-test.login.us2.oraclecloud.com OIF Encryption Certificate</dsig:X509SubjectName></dsig:X509Data></dsig:KeyInfo><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://eeib-test.login.us2.oraclecloud.com/fed/idp/soap" index="1" isDefault="true"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20" ResponseLocation="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20" ResponseLocation="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://eeib-test.login.us2.oraclecloud.com/fed/idp/samlv20"/></md:IDPSSODescriptor><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Data><dsig:X509Certificate>MIIDRzCCAi+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBGMUQwQgYDVQQDEztlZWli LXRlc3QubG9naW4udXMyLm9yYWNsZWNsb3VkLmNvbSBPSUYgU2lnbmluZyBDZXJ0 aWZpY2F0ZTAeFw0xNjA4MjcxNzU5MjNaFw0yMTA5MDIxNzU5MjNaMEYxRDBCBgNV BAMTO2VlaWItdGVzdC5sb2dpbi51czIub3JhY2xlY2xvdWQuY29tIE9JRiBTaWdu aW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA lOvPv9kH/EXzqK5aAxJniT+4dpBZCrwzUhS0FDHsioptf2b10A5LaPT6i8atAgBG p55HQC4NX4QGiMwNEc7r96v7zuLp7hpljQw3dO8z2nCa3xAwnuViaLIZGzuds1j+ bDDjxGlHCk5jrPFViaqwtUZXOIVgRyj4l4XKDO2iP45Gk/XERhgNJuxsW7cER5XP Oo9LaMUUHFQdRoCaIFpzCb7v6ehg749NSi5z80iJdpbePWE+TdIPjRZOZWyFBijw qKidtuM/s4Qo1dtNCHeOzHLgEb8n1n1qL9GSAESarMeaoTefqn0dsNfWOOSN3p8i FKu807qvthLIusyclJQ5bwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB /wQFAwMH2AAwHQYDVR0OBBYEFI/AYK578q4E226/vxeeDg8UE5ArMA0GCSqGSIb3 DQEBBAUAA4IBAQAZOiUWhyT9QGBcnC0nSotauUACuNNor8IBz2y+0KXo3CKzm/Lq tPqoor5z4i/jo5PC3e8JuOSG8vC5CKdcRQAb0sZVbTHvPEjYvdHXpF7fWMKk8n9v Z3CeCVCKSN3WUNLEOH/pcZA9PRTief8E4A1wlzDsPXc3D9hc5+mh1fU/3CXdJbcr bPIlSO1XxsXYWK+FOP4TrCII3ucDISA4dbLnU6ntv7ptCU54Xz9B4nzUj58zAxT+ wLKMz1zqxIUo0KpqgONIooe+QRPG+hzaA/5v2cv7swcVBVMIy8yh10e0VqP2W1cy ILnPvqzNh4T74pPgAPDdNuRuF+m83vdD9rmj </dsig:X509Certificate><dsig:X509IssuerSerial><dsig:X509IssuerName>CN=eeib-test.login.us2.oraclecloud.com OIF Signing Certificate</dsig:X509IssuerName><dsig:X509SerialNumber>2</dsig:X509SerialNumber></dsig:X509IssuerSerial><dsig:X509SubjectName>CN=eeib-test.login.us2.oraclecloud.com OIF Signing Certificate</dsig:X509SubjectName></dsig:X509Data></dsig:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:X509Data><dsig:X509Certificate>MIIDTTCCAjWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBJMUcwRQYDVQQDEz5lZWli LXRlc3QubG9naW4udXMyLm9yYWNsZWNsb3VkLmNvbSBPSUYgRW5jcnlwdGlvbiBD ZXJ0aWZpY2F0ZTAeFw0xNjA4MjcxNzU5MjNaFw0yMTA5MDIxNzU5MjNaMEkxRzBF BgNVBAMTPmVlaWItdGVzdC5sb2dpbi51czIub3JhY2xlY2xvdWQuY29tIE9JRiBF bmNyeXB0aW9uIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAsPq0FratjejA8VouOLoqukk/6dL2px51tlx5O/ETeEEnYs/UHX/HLLKy qqdgAEydrcAlR6edV876gyWVZciCZm8ru6iTjn3hGMJwBw6E4WwzIKBRMABID1DW jvGgirypzHGoC5ykhc1TV1xv3PgwztQp3ezyDBS+ROCeqSWlio4DEYFJzXf8qbuX 4M7IG6mKO3pBRK1t/kQqypL45LNNPNlromKWGZPuJRoapz9qYHwOfGB1fn4Tx8kb zPMj2yFzrx9D9RttBlxDPJrVn+tJziW4PrY+kBw8FCk30BO22dZNmeTLcrzdrE7f R4y+2Ugqbtq3Dd1AmbkXky5pm6P5wwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8G A1UdDwEB/wQFAwMH2AAwHQYDVR0OBBYEFOx286m8uTZkASSoj1pabaBc7pB9MA0G CSqGSIb3DQEBBAUAA4IBAQASCw9yrE+bHWcdTHue0cloFPCVLsedt+tT2azsVsXu rjx5wiykpQ7gdNtVH3foFjpgIcREG788PSfmskuPPJmmHCq2ox+33ZNIiHXrBI5B 3LLoqfdsRgAdBJYAVrQH9L/h36q/jSptDRwawCkOJgH4Tuwtds4XEj7ulrNKGmZe SBio7L8dCGlTE8g2hltLTnMQzLWVoL+vsqZR4K+yEfMQbyahqhyGLPp6dywULuLX O9GH8GFtZoDFgEw3Phd5KucUiN6dDZY3EPFvNm+h4gPB2VgzZRrRNlVeEsYZBu/a nS8DfPLMNgW/mfV8AKzU7iRgfzTwtWGQq7Q1a/LhEYjI </dsig:X509Certificate><dsig:X509IssuerSerial><dsig:X509IssuerName>CN=eeib-test.login.us2.oraclecloud.com OIF Encryption Certificate</dsig:X509IssuerName><dsig:X509SerialNumber>3</dsig:X509SerialNumber></dsig:X509IssuerSerial><dsig:X509SubjectName>CN=eeib-test.login.us2.oraclecloud.com OIF Encryption Certificate</dsig:X509SubjectName></dsig:X509Data></dsig:KeyInfo><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://eeib-test.login.us2.oraclecloud.com/fed/sp/samlv20" ResponseLocation="https://eeib-test.login.us2.oraclecloud.com/fed/sp/samlv20"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://eeib-test.login.us2.oraclecloud.com/fed/sp/samlv20" ResponseLocation="https://eeib-test.login.us2.oraclecloud.com/fed/sp/samlv20"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://eeib-test.login.us2.oraclecloud.com/fed/sp/art20" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://eeib-test.login.us2.oraclecloud.com/fed/sp/authnResponse20" index="1"/></md:SPSSODescriptor></md:EntityDescriptor> ```

Hi, Thomas. First, you shouldn't use 2.4.3, 2.4.4 is the most recent package. Regarding that part: >The reason it wasn't showing up in /opt/idp/relying-party.xml is I did not have "Configure Specific Relying Party" checked in the trust relationship. That's not quite true. You are right that a separate `RelyingParty` element will only appear if "Configure Specific Relying Party" feature is used, but even when it's not being used, everything should work as default relying party's definition will be used (that's by design). Without using this feature, the only sign telling you your configuration was applied in this file will be appearing of a new `medataProvider` element. You also should have checked what status it had in the list of existing SAML TR's in web UI, like "Active", "Inactive", "Validation is scheduled" etc. It's hard to say what was the cause now. Also please take into account that changes to SAML TRs are not applied right away, may take several minutes. We also had one bug in an earlier build resulting sometimes in situation when those files won't be updated after TR is created until this TR will be changed in any way once more, or until Tomcat is restarted. Should we close the ticket now?

Regarding your question on that `<md:` tag - it would be better if Zico would answer what he meant back then, may be he had in mind some specific tag starting like that. As of now, I see that `<md:EntityDescriptor` tag and other tags prefixed with `<md:` are being used occasionally in some live setups' TRs and it works fine like this.

Hey there, thanks for the responses. It appears as though the md tags are not breaking anything in gluu. So, if I am understanding correctly, these tags in the SP metadata allow the SP to specify its preferred settings for signing and encrypting assertions and responses? And Gluu/shibboleth uses these to set those settings without having to set these things in configure relying party profiles?