Invalid metadata according to XSD #201
Description
According to https://www.samltool.com/validate_xml.php the metadata we generate is incorrect:
Line: 45 | Column: 0 --> Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:metadata}ContactPerson, {urn:oasis:names:tc:SAML:2.0:metadata}AdditionalMetadataLocation ).
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="NETSAML2_391ba03eafba8f2d94916a4cbfb919b55ef5410292510b29408743fb955f83ae" entityID="Some entity ID">
<md:SPSSODescriptor errorURL="http://localhost:3000/error" AuthnRequestsSigned="0" WantAssertionsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>snip</ds:X509Certificate>
</ds:X509Data>
<ds:KeyName>e73560b0e23602121aedc55bcb1ca637</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:3000/slo-soap"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:3000/sls-post-response"/>
<md:AssertionConsumerService Location="http://localhost:3000/consumer-post" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService isDefault="false" index="2" Location="http://localhost:3000/consumer-artifact" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Net::SAML2::SP</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Net::SAML2::SP testsuite</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.example.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Company>Net::SAML2::SP testsuite</md:Company>
<md:EmailAddress>test@example.com</md:EmailAddress>
</md:ContactPerson>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#NETSAML2_391ba03eafba8f2d94916a4cbfb919b55ef5410292510b29408743fb955f83ae">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>snip</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>snip
2vJF9j17rScBwkRHb7I=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>
snip
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</md:EntityDescriptor>
According to the XSD we need to place the signature at the top of the entity descriptor:
https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
The given XML needs to be something akin to this:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="NETSAML2_391ba03eafba8f2d94916a4cbfb919b55ef5410292510b29408743fb955f83ae" entityID="Some entity ID">
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#NETSAML2_391ba03eafba8f2d94916a4cbfb919b55ef5410292510b29408743fb955f83ae">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>snip</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>snip
2vJF9j17rScBwkRHb7I=
</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>
snip
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<md:SPSSODescriptor errorURL="http://localhost:3000/error" AuthnRequestsSigned="0" WantAssertionsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>snip</ds:X509Certificate>
</ds:X509Data>
<ds:KeyName>e73560b0e23602121aedc55bcb1ca637</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:3000/slo-soap"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:3000/sls-post-response"/>
<md:AssertionConsumerService Location="http://localhost:3000/consumer-post" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService isDefault="false" index="2" Location="http://localhost:3000/consumer-artifact" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Net::SAML2::SP</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Net::SAML2::SP testsuite</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.example.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="other">
<md:Company>Net::SAML2::SP testsuite</md:Company>
<md:EmailAddress>test@example.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>