New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLO binding links are breaking IDP metadata #24

Open
mzico opened this Issue Feb 15, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@mzico

mzico commented Feb 15, 2017

3.0.0 or 3.0.1 has SLO bindlink links (**) available in IDP metadata which are breaking SAML transaction.

(**)

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ce31.gluu.org/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ce31.gluu.org/idp/profile/SAML2/POST/SLO"/>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://ce31.gluu.org/idp/profile/SAML2/POST-SimpleSign/SLO"/>
 <!--
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ce31.gluu.org:8443/idp/profile/SAML2/SOAP/SLO"/>
 -->

Here is what a SP throw whenever we are trying to load this metadata ( with SLO links ):

017-02-15 07:25:51 ERROR XMLTooling.ParserPool : error on line 95, column 24, message: element 'SingleLogoutService' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*,ArtifactResolutionService*,SingleLogoutService*,ManageNameIDService*,NameIDFormat*,SingleSignOnService+,NameIDMappingService*,AssertionIDRequestService*,AttributeProfile*,Attribute*)'
2017-02-15 07:25:51 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (/etc/shibboleth/ce31_gluu_org_metadata.xml): XML error(s) during parsing, check log for specifics
2017-02-15 07:25:51 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
2017-02-15 07:25:51 INFO Shibboleth.Application : no TrustEngine specified or installed, using default chain {ExplicitKey, PKIX}
2017-02-15 07:25:51 INFO Shibboleth.Application : building AttributeExtractor of type XML...

Validation failed as well for this; we can try to validate IDP metadata with SAML Validator

Or, we can try to 'register' our IDP by uploading metadata there in Testshib.org

xml_validator

If we remove SLO bindling links, it works okay; validation is good as well.
validator_result_without_slologout

@mzico mzico added this to the 3.0.0 milestone Feb 15, 2017

@mzico

This comment has been minimized.

mzico commented Feb 15, 2017

Another comment from user.

@dmogn dmogn assigned dmogn and unassigned yurem Aug 14, 2017

@dmogn dmogn modified the milestones: 3.1.0, 3.0.0 Aug 14, 2017

@dmogn dmogn modified the milestones: 3.1.0, 3.2.0 Sep 15, 2017

@dmogn dmogn removed their assignment Apr 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment