Validation error with SP metadata

By: Alex Shaharudin user 16 Jul 2019 at 10 a.m. CDT

4 Responses
Alex Shaharudin gravatar
Hello, We have an application that works with various IdPs. I'm testing it with Gluu/Shibboleth. However, when adding the SP metadata, I get a Validation error with the following: 2019-07-16 14:43:19 : ERROR : cvc-datatype-valid.1.2.1: 'https://coyote-sandbox401.tidemark.net/saml' is not a valid value for 'NCName'. 2019-07-16 14:43:19 : ERROR : cvc-attribute.3: The value 'https://coyote-sandbox401.tidemark.net/saml' of attribute 'ID' on element 'md:EntityDescriptor' is not valid with respect to its type, 'ID' Note that we've used the SP metadata with other providers and it's worked with the same format. When attempting to login, I get the message: Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. The SP metadata I'm referring to: <md:EntityDescriptor ID="https://coyote-sandbox401.tidemark.net/saml" entityID="https://coyote-sandbox401.tidemark.net/saml" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://coyote-sandbox401.tidemark.net/saml/SSO/alias/coyote" index="0" isDefault="true"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">Tidemark, Inc.</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">Tidemark</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://www.tidemark.com</md:OrganizationURL></md:Organization></md:EntityDescriptor> Is there a different formatting required for Gluu/Shibboleth?
CentOS 7.5
closed

Answers

By Mohib Zico Account Admin 21 Jul 2019 at 2:28 a.m. CDT

Copy
Mohib Zico gravatar
Yes, clearly its not syncing with Shibboleth standard. Can you please share that metadata? Interested to see its ingredients.....

By Alex Shaharudin user 29 Jul 2019 at 3:18 p.m. CDT

Copy
Alex Shaharudin gravatar
Hi Mohib, Thanks for taking a look. Here's the full metadata: <md:EntityDescriptor ID="coyote-sandbox401.tidemark.net" entityID="coyote-sandbox401.tidemark.net" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDiTCCAnGgAwIBAgIEdPm7uzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEZMBcGA1UEChMQVE0gU29mdHdhcmUgSW5jLjER MA8GA1UECxMIVGlkZW1hcmsxFDASBgNVBAMTC0FtaXQgUGFyaWtoMB4XDTE3MTIxMzA1Mjg0MVoX DTQ3MTIwNjA1Mjg0MVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3 b29kIENpdHkxGTAXBgNVBAoTEFRNIFNvZnR3YXJlIEluYy4xETAPBgNVBAsTCFRpZGVtYXJrMRQw EgYDVQQDEwtBbWl0IFBhcmlraDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmCTex7 xjHVIqP5d0GgdVNz40C5HFW8cXc8rtrItsRsqJZC7fKE8VBxdd4BTybx8T/p4/AvGAo9XujytN6z uwsVcy/sC2gksu7POZ0L9CDWYX+FGRJsNDXPViAZ+mpdltB0shBN7N7LB/VXhY+LBAi7ZC70I3lW v5n5K1sJ1qxgLmh2uWIPyv5O0ckM7oFfqrrARXLvB1I8G2phJBOPDw6yRycmfKvCre2LCtqvTISb Vwcy6C3Q/3GDfS1FUrpI7/4rJmEOJUwd+AKv4EEKGACFqTKXumwDvuq03ECKhOeEpJ1wrHizdEyS Vv+UNrUpFhc6UWqwv3ggPUnQU1LwOk8CAwEAAaMhMB8wHQYDVR0OBBYEFA5gW5WOBkQ7Pqw0XV8F ensiCyYXMA0GCSqGSIb3DQEBCwUAA4IBAQAv30UOcUQqAOFWkNljlzpDrfnnAl6VGQQnpQYg6tRt xgur07C29n3xhl315wTSxOMy7Zi0KLPHhK7Oj8RadwyOPB1vuPmMU8NQqSNav0/nZ2oWBtG3vf8i aVN/cAXWiw6L7p2dfEmKu6vsRzyBRH7aNRYR9BQlLSfefTmFfNRXSh6nLzxz8wH055F6pzMXMf3p gMYBqYMloMueEE0PETEhbtPv9auyxnbxRHBYvzlJTQiXpWepo6BePqRk1IvrMzewW62e22+VweqM cOShSr/tS7LegmbQnSLMJOKmSIaw7nms4rncR1+SKA1LvhsdDqZHN3uA1WXGp8alko05mrfl</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDiTCCAnGgAwIBAgIEdPm7uzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEZMBcGA1UEChMQVE0gU29mdHdhcmUgSW5jLjER MA8GA1UECxMIVGlkZW1hcmsxFDASBgNVBAMTC0FtaXQgUGFyaWtoMB4XDTE3MTIxMzA1Mjg0MVoX DTQ3MTIwNjA1Mjg0MVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3 b29kIENpdHkxGTAXBgNVBAoTEFRNIFNvZnR3YXJlIEluYy4xETAPBgNVBAsTCFRpZGVtYXJrMRQw EgYDVQQDEwtBbWl0IFBhcmlraDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmCTex7 xjHVIqP5d0GgdVNz40C5HFW8cXc8rtrItsRsqJZC7fKE8VBxdd4BTybx8T/p4/AvGAo9XujytN6z uwsVcy/sC2gksu7POZ0L9CDWYX+FGRJsNDXPViAZ+mpdltB0shBN7N7LB/VXhY+LBAi7ZC70I3lW v5n5K1sJ1qxgLmh2uWIPyv5O0ckM7oFfqrrARXLvB1I8G2phJBOPDw6yRycmfKvCre2LCtqvTISb Vwcy6C3Q/3GDfS1FUrpI7/4rJmEOJUwd+AKv4EEKGACFqTKXumwDvuq03ECKhOeEpJ1wrHizdEyS Vv+UNrUpFhc6UWqwv3ggPUnQU1LwOk8CAwEAAaMhMB8wHQYDVR0OBBYEFA5gW5WOBkQ7Pqw0XV8F ensiCyYXMA0GCSqGSIb3DQEBCwUAA4IBAQAv30UOcUQqAOFWkNljlzpDrfnnAl6VGQQnpQYg6tRt xgur07C29n3xhl315wTSxOMy7Zi0KLPHhK7Oj8RadwyOPB1vuPmMU8NQqSNav0/nZ2oWBtG3vf8i aVN/cAXWiw6L7p2dfEmKu6vsRzyBRH7aNRYR9BQlLSfefTmFfNRXSh6nLzxz8wH055F6pzMXMf3p gMYBqYMloMueEE0PETEhbtPv9auyxnbxRHBYvzlJTQiXpWepo6BePqRk1IvrMzewW62e22+VweqM cOShSr/tS7LegmbQnSLMJOKmSIaw7nms4rncR1+SKA1LvhsdDqZHN3uA1WXGp8alko05mrfl</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://coyote-sandbox401.tidemark.net/saml/SSO/alias/coyote" index="0" isDefault="true"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">Tidemark, Inc.</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">Tidemark</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://www.tidemark.com</md:OrganizationURL></md:Organization></md:EntityDescriptor>

By Mohib Zico Account Admin 02 Aug 2019 at 3:42 p.m. CDT

Copy
Mohib Zico gravatar
Hi, I just tried your metadata and unable to reproduce validation issue. Attaching a screencast.
zoom_0.mp4

By Alex Shaharudin user 02 Aug 2019 at 4:47 p.m. CDT

Copy
Alex Shaharudin gravatar
Hi Mohib, Sorry, looks like I attached the wrong metadata. I was modifying the entityID and posted the wrong one. Please try the following: ``` <md:EntityDescriptor ID="https://coyote-sandbox401.tidemark.net/saml" entityID="https://coyote-sandbox401.tidemark.net/saml" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDiTCCAnGgAwIBAgIEdPm7uzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEZMBcGA1UEChMQVE0gU29mdHdhcmUgSW5jLjER MA8GA1UECxMIVGlkZW1hcmsxFDASBgNVBAMTC0FtaXQgUGFyaWtoMB4XDTE3MTIxMzA1Mjg0MVoX DTQ3MTIwNjA1Mjg0MVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3 b29kIENpdHkxGTAXBgNVBAoTEFRNIFNvZnR3YXJlIEluYy4xETAPBgNVBAsTCFRpZGVtYXJrMRQw EgYDVQQDEwtBbWl0IFBhcmlraDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmCTex7 xjHVIqP5d0GgdVNz40C5HFW8cXc8rtrItsRsqJZC7fKE8VBxdd4BTybx8T/p4/AvGAo9XujytN6z uwsVcy/sC2gksu7POZ0L9CDWYX+FGRJsNDXPViAZ+mpdltB0shBN7N7LB/VXhY+LBAi7ZC70I3lW v5n5K1sJ1qxgLmh2uWIPyv5O0ckM7oFfqrrARXLvB1I8G2phJBOPDw6yRycmfKvCre2LCtqvTISb Vwcy6C3Q/3GDfS1FUrpI7/4rJmEOJUwd+AKv4EEKGACFqTKXumwDvuq03ECKhOeEpJ1wrHizdEyS Vv+UNrUpFhc6UWqwv3ggPUnQU1LwOk8CAwEAAaMhMB8wHQYDVR0OBBYEFA5gW5WOBkQ7Pqw0XV8F ensiCyYXMA0GCSqGSIb3DQEBCwUAA4IBAQAv30UOcUQqAOFWkNljlzpDrfnnAl6VGQQnpQYg6tRt xgur07C29n3xhl315wTSxOMy7Zi0KLPHhK7Oj8RadwyOPB1vuPmMU8NQqSNav0/nZ2oWBtG3vf8i aVN/cAXWiw6L7p2dfEmKu6vsRzyBRH7aNRYR9BQlLSfefTmFfNRXSh6nLzxz8wH055F6pzMXMf3p gMYBqYMloMueEE0PETEhbtPv9auyxnbxRHBYvzlJTQiXpWepo6BePqRk1IvrMzewW62e22+VweqM cOShSr/tS7LegmbQnSLMJOKmSIaw7nms4rncR1+SKA1LvhsdDqZHN3uA1WXGp8alko05mrfl</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDiTCCAnGgAwIBAgIEdPm7uzANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCQ0ExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEZMBcGA1UEChMQVE0gU29mdHdhcmUgSW5jLjER MA8GA1UECxMIVGlkZW1hcmsxFDASBgNVBAMTC0FtaXQgUGFyaWtoMB4XDTE3MTIxMzA1Mjg0MVoX DTQ3MTIwNjA1Mjg0MVowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxSZWR3 b29kIENpdHkxGTAXBgNVBAoTEFRNIFNvZnR3YXJlIEluYy4xETAPBgNVBAsTCFRpZGVtYXJrMRQw EgYDVQQDEwtBbWl0IFBhcmlraDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmCTex7 xjHVIqP5d0GgdVNz40C5HFW8cXc8rtrItsRsqJZC7fKE8VBxdd4BTybx8T/p4/AvGAo9XujytN6z uwsVcy/sC2gksu7POZ0L9CDWYX+FGRJsNDXPViAZ+mpdltB0shBN7N7LB/VXhY+LBAi7ZC70I3lW v5n5K1sJ1qxgLmh2uWIPyv5O0ckM7oFfqrrARXLvB1I8G2phJBOPDw6yRycmfKvCre2LCtqvTISb Vwcy6C3Q/3GDfS1FUrpI7/4rJmEOJUwd+AKv4EEKGACFqTKXumwDvuq03ECKhOeEpJ1wrHizdEyS Vv+UNrUpFhc6UWqwv3ggPUnQU1LwOk8CAwEAAaMhMB8wHQYDVR0OBBYEFA5gW5WOBkQ7Pqw0XV8F ensiCyYXMA0GCSqGSIb3DQEBCwUAA4IBAQAv30UOcUQqAOFWkNljlzpDrfnnAl6VGQQnpQYg6tRt xgur07C29n3xhl315wTSxOMy7Zi0KLPHhK7Oj8RadwyOPB1vuPmMU8NQqSNav0/nZ2oWBtG3vf8i aVN/cAXWiw6L7p2dfEmKu6vsRzyBRH7aNRYR9BQlLSfefTmFfNRXSh6nLzxz8wH055F6pzMXMf3p gMYBqYMloMueEE0PETEhbtPv9auyxnbxRHBYvzlJTQiXpWepo6BePqRk1IvrMzewW62e22+VweqM cOShSr/tS7LegmbQnSLMJOKmSIaw7nms4rncR1+SKA1LvhsdDqZHN3uA1WXGp8alko05mrfl</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://coyote-sandbox401.tidemark.net/saml/SSO/alias/coyote" index="0" isDefault="true"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">Tidemark, Inc.</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">Tidemark</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://www.tidemark.com</md:OrganizationURL></md:Organization></md:EntityDescriptor> ```

Post an answer