[OpenSAML] Metadata Validity

[Lhunath (Maarten B.)]

I'm working on generating SAMLv2 metadata using OpenSAML for consumption by Sun's OpenSSO.

I've set up the OpenSAML part and am generating metadata for three services. OpenSSO, however, is not accepting the resulting metadata.

The following generated metadata causes OpenSSO to say "Unable to find certificate to verify signature under element "EntityDescriptor"."
http://stuff.lhunath.com/metadata-no-cert-found.xml

I then attempted explicitly adding KeyInfo to the Signature on my EntityDescriptor root element, which got me a bit "further":

The following generated metadata causes OpenSSO to say "Unexpected element {urn:oasis:names:tc:SAML:2.0:metadata}:KeyDescriptor"
http://stuff.lhunath.com/metadata-unexpected-key.xml

Removing the KeyDescriptors from the metadata altogether (do they serve a specific purpose still when they all specify the same certificate and it's now specified in the Signature's KeyInfo?) gave me another message yet:

The following generated metadata causes OpenSSO to say "Unexpected element {urn:oasis:names:tc:SAML:2.0:metadata}:SingleLogoutService"
http://stuff.lhunath.com/metadata-unexpected-slo.xml

As far as I can gather from the SAMLv2 Metadata specification, both metadata files are valid; though perhaps I am overlooking something.

[Lhunath (Maarten B.)]

For what it's worth; it appears my metadata was missing the supportedProtocolsEnumeration.

idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
attributeAuthorityDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);

Adding these two resolved the issue. I discovered the issue by validating the generated metadata using xmllint against the Oasis SAML Metadata schema.