[Shib-Users] IdP 2.1 metadata validation tool

[Zhang, Xiaoling]

Hi,

 

Does anyone have a metadata validation tool for IdP 2.1? We are running IdP 2.1 and need such a tool urgently. On internet2, we only found aacli for attribute.

 

Any information is appreciated.

 

Xiaoling Zhang

AIS, UCLA

[Peter Schober]

* Zhang, Xiaoling <xzh...@ais.ucla.edu> [2009-08-07 23:10]:

> Does anyone have a metadata validation tool for IdP 2.1? We are
> running IdP 2.1 and need such a tool urgently. On internet2, we only
> found aacli for attribute.

https://spaces.internet2.edu/display/SHIB2/MetadataCorrectness

You can configure a metadata filter in the IdP that does schema
validation. The Shib SP (2.2. is current) can also do this, by setting
validate="true" on a MetadataProvider element.

Note that this is not just an "informative" check, it will make the
software actually reject invalid metadata. But pointing an SP at a
metadata file (with validate="true" configured) and doing `shibd -t`
or `touch shibboleth2.xml` (which shibd running) or possibly using
mdquery[1] would then quickly show any errors.

Maybe samlsign[2] could also be (mis-)used for that (IIRC it will
refuse to sign invalid metadata).

Other than that any (commercial or Free/Open Source) schema-aware XML
validator should be able to do this (e.g. oXygen can do this, if you
menage to set things up correctly). If someone has recommendations
that would probably make good addition to the wiki.
-peter

[1] https://spaces.internet2.edu/display/SHIB2/NativeSPmdquery
[2] https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManCPPsamlsign