Metadata Namespace

Mark Moran

unread,

Sep 7, 2016, 6:44:42 PM9/7/16

to SimpleSAMLphp

First, we are not a member of InCommon. We have an SimpleSAML IdP and wish to work with an SP who is a member.

It seems that InCommon SP metadata is not namespaced, ie there is no "md:" in <EntityDescriptor> or ds in <X509Certificate>.

Adding them to the metadata by hand wasn't too difficult once I realized this was the problem, but should this be necessary?

I thought this might warrant a discussion on whether SimpleSAML should detect an empty namespace and respect it.

Tom Scavo

unread,

Sep 7, 2016, 7:07:22 PM9/7/16

to simpleSAMLphp

On Wed, Sep 7, 2016 at 6:44 PM, Mark Moran <mmo...@wne.edu> wrote:
> First, we are not a member of InCommon. We have an SimpleSAML IdP and wish
> to work with an SP who is a member.
>
> It seems that InCommon SP metadata is not namespaced, ie there is no "md:"
> in <EntityDescriptor> or ds in <X509Certificate>.
>
> Adding them to the metadata by hand wasn't too difficult once I realized
> this was the problem, but should this be necessary?

No, the namespace prefixes are defined in the top-level
<md:EntitiesDescriptor> element. The child <md:EntityDescriptor>
elements inherit the namespace definitions. This is standard XML
syntax. It has nothing to do with SAML metadata.

> I thought this might warrant a discussion on whether SimpleSAML should
> detect an empty namespace and respect it.

I'm not sure what you mean. InCommon metadata is well-formed and
schema-valid. If it wasn't, your SSP IdP wouldn't be able to refresh
metadata.

Tom

Mark Moran

unread,

Sep 7, 2016, 7:52:49 PM9/7/16

to simple...@googlegroups.com

The metadata the SP sent me was missing those namespaces, what is published by InCommon is better, but not complete.

Looking at their metadata directly from InCommon's published metadata, you can see not all the namespaces are there and plugging it into SimpleSAML generates an exception:

<mdrpi:RegistrationInfo registrationAuthority="https://incommon.org"/>

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>

</saml:Attribute>

</mdattr:EntityAttributes>

</Extensions>

<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://shibbsp.smartcatalogiq.com/Shibboleth.sso/Login" index="1"/>

<mdui:UIInfo>

<mdui:DisplayName xml:lang="en">SmartCatalog</mdui:DisplayName>

<mdui:InformationURL xml:lang="en">http://academiccatalog.com/</mdui:InformationURL>

</mdui:UIInfo>

</Extensions>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIDFTCCAf2gAwIBAgIJAP0pAavznPgnMA0GCSqGSIb3DQEBBQUAMCUxIzAhBgNV

BAMTGnNoaWJic3Auc21hcnRjYXRhbG9naXEuY29tMB4XDTE2MDIyOTE5MjE0OVoX

DTI2MDIyNjE5MjE0OVowJTEjMCEGA1UEAxMac2hpYmJzcC5zbWFydGNhdGFsb2dp

cS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ+6P9+7AvE0bu

5vagFglu+DIYR6m/AARKrysufYc2YtLwrU15y4aG/j1Bo7uiP5Q5l35AXWGzegF4

CjoBAOZskf40b6WjyvKD+8mp2fiRWHgJ53F1aD/mFHxKhyJ9WEjsDQsffuCTnl+v

tw0tzm/7hMiLZOmIiXb8jq7s9zkioARg6FQq88uBKvr1T4qTF6pPlaoS9d0V/Fjf

QL1W/lbCi/XaRHXERR1f25ys9RaXJr0zW3Br2payMJI1Nd6+ELENuJoaq1yXVmTW

r36pTdl3Acb+xEbdQqRJ4+lEbDMXlxrmRn/F0WO81IyUJ597NFfVbatqx3hXMfZJ

ZwFj+g9FAgMBAAGjSDBGMCUGA1UdEQQeMByCGnNoaWJic3Auc21hcnRjYXRhbG9n

aXEuY29tMB0GA1UdDgQWBBQ7xcrN8d14m11aJs9RhocJmWKMezANBgkqhkiG9w0B

AQUFAAOCAQEAY7Uua8dp5BMCY85c5vUJ/NvEYJQtj11zIU4Ir5NhJO0dEEb1jimq

UuAl8yNpjxjaMvD8Vk3/qSSqEo1zCyApZJDe7WQ1ZwS4QlDEeiVyV7x8eKTNe0FO

BCLWaedezkmMyFIVIgn5WvTqHS6VpS6qGGTGuhtFDeMZkKW8qKJuj6YNLCNVwqYy

O2wPiR2nxgu1URdSvlx+Bx77+BYMSGE0Ft2Oh9cQkmsAheIJh6wpl8iqMA2QwN8G

pWviPRpiandmfkzkdiTxNx+OKatNLMfWE3CMB5w2PPCDLSpKjV414f9523Wy8nXB

H+1g1iIegxUBGOWbdXg2FkTnOdKNK8Z3cg==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>

</SPSSODescriptor>

<OrganizationName xml:lang="en">Valentine Co., Inc.</OrganizationName>

<OrganizationDisplayName xml:lang="en">Valentine Co., Inc.</OrganizationDisplayName>

<OrganizationURL xml:lang="en">http://academiccatalog.com/</OrganizationURL>

</Organization>

<GivenName>Kenneth Priddy</GivenName>

<EmailAddress>sup...@academiccatalog.com</EmailAddress>

</ContactPerson>

</EntityDescriptor>

--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/QPxb0Sr2hUk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

Scott Koranda

unread,

Sep 7, 2016, 8:32:42 PM9/7/16

to simple...@googlegroups.com

> The metadata the SP sent me was missing those namespaces, what is published by
> InCommon is better, but not complete.

You are not reading the XML correctly.

The XML begins with

<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="INC20160906T191312" Name="urn:mace:incommon"
validUntil="2016-09-20T19:13:12Z">

The default namespace is declared by

xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

So the default namespace is

urn:oasis:names:tc:SAML:2.0:metadata

Thus this element (which today begins on line 250617 of the
InCommon metadata)

<EntityDescriptor entityID="https://shibbsp.smartcatalogiq.com/shibboleth">

is fully

<urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor entityID="https://shibbsp.smartcatalogiq.com/shibboleth">

> Looking at their metadata directly from InCommon's published metadata, you can
> see not all the namespaces are there

They are indeed there. The InCommon metadata is well formed,
which is important since thousands of clients download, parse,
and consume it each day.

> and plugging it into SimpleSAML generates
> an exception:

You need to understand namespace inheritance as Tom pointed
out. Since the <EntityDescriptor> does not directly have a
namespace declared it is inheriting

urn:oasis:names:tc:SAML:2.0:metadata

If you copy the <EntityDescriptor> but do not add the
inherited namespace like

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://shibbsp.smartcatalogiq.com/shibboleth">

then yes, you will receive an exception, but it is due to your
error in not handling the namespace inheritance correctly
rather than the InCommon metdata being ill formed.

Scott K

Mark Moran

unread,

Sep 7, 2016, 10:06:05 PM9/7/16

to simple...@googlegroups.com

Thank you, I appreciate the help very much.

Tom Scavo

unread,

Sep 8, 2016, 8:43:19 AM9/8/16

to simpleSAMLphp

On Wed, Sep 7, 2016 at 10:06 PM, Mark Moran <disc...@gmail.com> wrote:
> Thank you, I appreciate the help very much.

Instead of manipulating the XML by hand, you can use an XML processor
to extract a single entity from an aggregate. Here's how to do it with
xsltproc:

$ cat $MD_PATH | xsltproc --stringparam entityID $ID
$LIB_DIR/extract_entity.xsl -
<?xml version="1.0"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="...">

etc.

Note that the EntityDescriptor is fully formed. The rest of the entity
has been truncated for convenience.

On the command line:

1) MD_PATH is the path to the aggregate
2) ID is an entityID
3) LIB_DIR is a library directory that includes the indicated XSL stylesheet

You can fetch the stylesheet from github:
https://gist.github.com/trscavo/551e257c3ea59a454e9f3c9aa87ea2bc

Hope this helps,

Tom

>> simplesamlph...@googlegroups.com.

>> To post to this group, send email to simple...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/simplesamlphp.
>> For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups
> "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to simplesamlph...@googlegroups.com.

Reply all

Reply to author

Forward