Hi Ewan, There is one problem with 3.0.0 Gluu Server's shibboleth metadata ( Logout links ). Please feel free to use 3.0.1; it does not have such issue. However... what I saw ( if I remember correctly ), creating Trust with TestShib is little confusing in a sense that... TestShib metadata has the combination of testShib IDP and SP. You might wanna create a custom testShib SP and add that in Gluu Server's Trust relationship to test your SSO.

As per my original query, I have already upgraded to 3.0.1 and it still fails. I have downloaded an installed passport-saml-example-shb (https://github.com/ritstudentgovernment/passport-saml-example) I deployed the node.js app and uploaded the metadata via URI by setting up a new Gluu Trust. I am getting the same error schema_reference.4: Failed to read schema document 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.

Ok.. I'll check it then. Will let you know.

Ewan, I think you're mixing up the issues between Passport and Shibboleth. They perform different functionalities. Also just re-downloading idp.war will not fix issue.. you should manually change one file in `/opt/shibboleth/idp/conf` He need to update one file: `https://github.com/GluuFederation/community-edition-setup/commit/258e80ffe285831a3807d57c2f570f5c5ebcf780` And run `service idp restart` I'm closing this ticket out since the subject no longer matches the issue. Please feel free to open a new specific ticket if you face further issues.

Not sure what your response about the war is. I did a total rebuild of the server on 3.0.1 The process I follow is. Click SAML -> Trust Relationship Click "Add Relationship" Under "Trust Agreement" I give a name, description Set entity type to "Single SP" Choose File Upload the Metadata file as supplied by https://www.testshib.org/metadata/testshib-providers.xml Choose email, username from Gluu person Page returns to "Trust Relationship" screen awaiting validation. Then changes to status "Validation Failed" with the error I gave. I looked in setup.properties.last Ran the below command "cat setup.properties.last | grep Passport" and got the result "installPassport=False"

Hi, Ewan. Metadata which you use to create the TR - did you look into it? May it be it's malformed or incomplete? Or may be you edited it manually first? Could you share it with us too? Please use any file sharing service of your liking for that.

I am trying to follow https://ox.gluu.org/doku.php?id=testshib_testing_gluu_idp Even though this is for an older version of Gluu I can not get past the first point.

Ewan, Big red letters at the top of the ox.gluu.org page you referenced: > This Wiki is a work space for old notes and new ideas. DO NOT RELY on anything you find on this Wiki! Official Gluu Server documentation is at https://gluu.org/docs. The Gluu Support site is https://support.gluu.org. It's not clear what your issue is. We need a specific issue to troubleshoot. Please open a new ticket, and follow our [how to ask](https://support.gluu.org/docs/user-guide/how-to-ask/) guideline. Thanks, Will

Hi, Ewan. Could you still provide the very file you try to use when creating the TR? You said before you upload metadata from file, yet in example on page you referenced, it's added by url.

Could you confirm if you can register an idp with https://www.testshib.org/register.html Take your metadata file and register with testshib. If t does not work on your side I will accept that I will not be able to get it working.

Did a clean install of 3.0.1-2-1 This time I tried setting up a trust relationship using a metadata file from an existing IDP that works. (Percolate) I get the exact same issue. schema_reference.4: Failed to read schema document 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>. Metadata ------------------------- <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor cacheDuration="PT604800S" entityID="https://percolate.com/auth/saml2/sp" validUntil="2017-02-04T23:53:25Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFLDCCAxSgAwIBAgIJAMtrW5UWdCZMMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDXBlcmNvbGF0ZS5jb20wHhcNMTYwMzA0MTgxMjE1WhcNMTcwMzA0MTgxMjE1WjAYMRYwFAYDVQQDEw1wZXJjb2xhdGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2VKjbm3FZ6wqO2auyaQoQqGCDJoMbxYKBqxcKePhfWeZZ9cIvoC90LuO9PgBflquxjnSlf631GLBT3+T+KDGW6TOkVggYMwdNQt/thTm6urXCMQAYed6MkrAk6asWfpVTPQUbXOURk4oLoTD7BjC6xcxs+EyMQLHgo7mM96S5Gv4419H9CCVJz2d3BXjelVr9mrVz88eR5VphMZU37cCo9y+5kpO0Ur8pD1CosMK+kkekKXhZB8v4+qqY/nEL8LdtJ1ZH7rZmA93BEePXInWi/ETOhaS9EtwtN2ke67Fw1C3c6Or0h50ejuXYpg1SbVKc4Ht9k1Sza8cHXlfmZWKUljDBzzzZbbPup9oXEztWmUAgqy7AGVZTU/HOlHFZ+BtB83Xsmg3UfwyXY37W9Z9wDoLkIktotHZSko9839fXDrDrEGNz/hDRnroaXM6M/Xxj1zTv6d2j8CNMSl385qL0DGXDcC31OhdpbHAQzpPb/3ya0SK7YBJ3w2xcd8cmgJLHJxGca85GPBoK1xZ6/BPkUVgCVAnhlt4sahOle4rfe14qO4x6Id3GJL5rVyKmrUh0MlLmKuY//UN6LJkOaX8gSJ9JASLdGPZMwK9hwXJwLer7k/5KQZ4Wn8qNUbvHGuCny4WVcXYDbDMWG2b6WlriVZHpPz3exulL3PdyIuoZ8CAwEAAaN5MHcwHQYDVR0OBBYEFNmOd17I5EgpeEuXZkk4ee8duAakMEgGA1UdIwRBMD+AFNmOd17I5EgpeEuXZkk4ee8duAakoRykGjAYMRYwFAYDVQQDEw1wZXJjb2xhdGUuY29tggkAy2tblRZ0JkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEApmjlaCN0t6CVAO4iyx458mlQVVXE0Z7EdEnu5nVIgZF7dOxGyqRl8UGcZe7fwZ31vmngC08SMAW3i5T/sFd5A88U5R2tNGiT+JNtnQcASDcKO58YXWA1Ix7VUfAwKaZQfIShgdOpPHouGbGmN6T13UJ/B9BOPBer7/+nwQCPjZ6Hn2uTLcg1VqmgCeSeCz05Lf1GactcfT88InOtzNFs9iuKBC+0y7rT8OYg3wO+uL4JBXQ7tLTn5zVk9i8p19yNHnK70feYjNsI6sqZX7cEHICr7sz4qbOODw9krG6Jq+VKkP8k/ui/khVCMRmA1tq4qIM6R6qs1DjslLSbMN5lrE/VXqBm1FMSdSnkrybC4/xtT6MPELXFI5Fd2nUuYFNE5+FZgRUq4MyGUYSR3dE5uYb3Wy8pKwL92orgKBA3RyUSpyqMdcEQPj5OjR16YjADxPu3Kmj+razaAOmKiSvc4iNQpvlzztlWDDa82DjXYEEtMjv6vlGjDbPzNeQ3JcHfp1n1LSd43kBZq8hBVhJ5lIdMbcOrlJBzlX5eNc4BC0vNzr5w/u+Lzn9vZSWPxsBRhz3cYITslLulCfImGdkJJ9m08/I+wpXxd6Md0k7PojfLN4fEtLbKTzch7g50stHqHo8IIklQC+VfkKmmCg+TdEpqQtznJampdH89Y358mJA=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFLDCCAxSgAwIBAgIJAMtrW5UWdCZMMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDXBlcmNvbGF0ZS5jb20wHhcNMTYwMzA0MTgxMjE1WhcNMTcwMzA0MTgxMjE1WjAYMRYwFAYDVQQDEw1wZXJjb2xhdGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2VKjbm3FZ6wqO2auyaQoQqGCDJoMbxYKBqxcKePhfWeZZ9cIvoC90LuO9PgBflquxjnSlf631GLBT3+T+KDGW6TOkVggYMwdNQt/thTm6urXCMQAYed6MkrAk6asWfpVTPQUbXOURk4oLoTD7BjC6xcxs+EyMQLHgo7mM96S5Gv4419H9CCVJz2d3BXjelVr9mrVz88eR5VphMZU37cCo9y+5kpO0Ur8pD1CosMK+kkekKXhZB8v4+qqY/nEL8LdtJ1ZH7rZmA93BEePXInWi/ETOhaS9EtwtN2ke67Fw1C3c6Or0h50ejuXYpg1SbVKc4Ht9k1Sza8cHXlfmZWKUljDBzzzZbbPup9oXEztWmUAgqy7AGVZTU/HOlHFZ+BtB83Xsmg3UfwyXY37W9Z9wDoLkIktotHZSko9839fXDrDrEGNz/hDRnroaXM6M/Xxj1zTv6d2j8CNMSl385qL0DGXDcC31OhdpbHAQzpPb/3ya0SK7YBJ3w2xcd8cmgJLHJxGca85GPBoK1xZ6/BPkUVgCVAnhlt4sahOle4rfe14qO4x6Id3GJL5rVyKmrUh0MlLmKuY//UN6LJkOaX8gSJ9JASLdGPZMwK9hwXJwLer7k/5KQZ4Wn8qNUbvHGuCny4WVcXYDbDMWG2b6WlriVZHpPz3exulL3PdyIuoZ8CAwEAAaN5MHcwHQYDVR0OBBYEFNmOd17I5EgpeEuXZkk4ee8duAakMEgGA1UdIwRBMD+AFNmOd17I5EgpeEuXZkk4ee8duAakoRykGjAYMRYwFAYDVQQDEw1wZXJjb2xhdGUuY29tggkAy2tblRZ0JkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEApmjlaCN0t6CVAO4iyx458mlQVVXE0Z7EdEnu5nVIgZF7dOxGyqRl8UGcZe7fwZ31vmngC08SMAW3i5T/sFd5A88U5R2tNGiT+JNtnQcASDcKO58YXWA1Ix7VUfAwKaZQfIShgdOpPHouGbGmN6T13UJ/B9BOPBer7/+nwQCPjZ6Hn2uTLcg1VqmgCeSeCz05Lf1GactcfT88InOtzNFs9iuKBC+0y7rT8OYg3wO+uL4JBXQ7tLTn5zVk9i8p19yNHnK70feYjNsI6sqZX7cEHICr7sz4qbOODw9krG6Jq+VKkP8k/ui/khVCMRmA1tq4qIM6R6qs1DjslLSbMN5lrE/VXqBm1FMSdSnkrybC4/xtT6MPELXFI5Fd2nUuYFNE5+FZgRUq4MyGUYSR3dE5uYb3Wy8pKwL92orgKBA3RyUSpyqMdcEQPj5OjR16YjADxPu3Kmj+razaAOmKiSvc4iNQpvlzztlWDDa82DjXYEEtMjv6vlGjDbPzNeQ3JcHfp1n1LSd43kBZq8hBVhJ5lIdMbcOrlJBzlX5eNc4BC0vNzr5w/u+Lzn9vZSWPxsBRhz3cYITslLulCfImGdkJJ9m08/I+wpXxd6Md0k7PojfLN4fEtLbKTzch7g50stHqHo8IIklQC+VfkKmmCg+TdEpqQtznJampdH89Y358mJA=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://percolate.com/auth/saml2/response" index="1"/> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">percolate</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">Percolate</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">https://percolate.com</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Ops</md:GivenName> <md:EmailAddress>ops+saml2@percolate.com</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>

The logout links are still broken in 3.0.1. I had to comment them out before I uploaded my metadata to testshib. It was the only way testshib would accept the file.

Thanks for the reply. I am still left with the issue of not being able to load the XML file into my Gluu server. I still think it is because something underlying in not honoring the proxy settings and trying to go out directly. Do you have a scenario where the Gluu server does not have direct access to the internet? Gluu server sits behind reverse proxy for inbound traffic as well as only having access to the internet via a proxy server like Squid.

Hi, Ewan. I'm able to successfully create a TR with Percolate metadata you provided in my Gluu CE 3.0.1-2-1 instance in CentOS 7.3. I also can't confirm issue Matt mentioned - when I tried to setup a test TR for Testhib, it consumed metadata of Shibboleth IdP in my instance without any issues and need to modify it in any way (like, removing Logout-related elements)

No, my mistake. When I've tried it now, Testshib threw an error. I had to remove all mentions of logout endpoints to make it work. Still, it doesn't seem anything to do with issue Ewan is facing. I can create TR at Gluu for both Testshib and Percolate.

A [github issue](https://github.com/GluuFederation/oxShibboleth/issues/24) is there for SLO bug.