Trouble with adding Trusted Provider (SAML 2.0): can not parse my service provider metadata

2
votes

I'm getting error message in Novell iManager "The XML is malformed. cvc-complex-type.2.4.a: Invalid content was found starting with element 'md:EncryptionMethod'. One of '{"http://www.w3.org/2000/09/xmldsig#":KeyInfo}' is expected." when add this service provider metadata:

<?xml version="1.0" encoding="UTF-8"?>
  <md:EntityDescriptor entityID="https://.../" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="true"> 
      <md:KeyDescriptor use="encryption"> 
        <md:EncryptionMethod xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> 
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
          <X509Data><X509Certificate>...</X509Certificate></X509Data>
       </KeyInfo> 
      </md:KeyDescriptor> 
      <md:AssertionConsumerService isDefault="true" index="0" Location="https://.." Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  </md:SPSSODescriptor> 
  <md:Organization>...</md:Organization> 
   ...
</md:EntityDescriptor>

What I do in Novell iManager: IdentityServers -> AH DMZ Identity Server -> New Trusted Provider -> Service Provider -> Source: Metadata Text

The strange thing is that it complains on lack of KeyInfo element while it's here with the correct namespace. Any idea why it might be?

If I specify third-party metadata from here: https://federation.njedge.net/metadata/njedge-fed-metadata.xml it says

"The XML is malformed. cvc-complex-type.2.4.a: Invalid content was found starting with element 'Organization'. One of '{"http://www.w3.org/2000/09/xmldsig#":Signature, "urn:oasis:names:tc:SAML:2.0:metadata":Extensions, "urn:oasis:names:tc:SAML:2.0:metadata":RoleDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":IDPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":SPSSODescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AuthnAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AttributeAuthorityDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":PDPDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":AffiliationDescriptor}' is expected. "

Looks like it expects some service provider specific metadata file format, and unfortunately I was unable to find any information about different formats of SAML 2.0 metadata.

1
saml-2.0

1 Answers

2
votes

Loos like there were 2 issues: 1) Novell expects strict order of elements 2) It does not recognize default namespace like <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> instead use <somenamespace:KeyInfo xmlns:somenamespace="http://www.w3.org/2000/09/xmldsig#">

weird :)