ShibAndEdugain
Tartalomjegyzék
Loading metadata
Metadata downloaded from https://mds.edugain.org
- Strange things
- Metadata is not signed by a third party
- Line breaks and indentation is quite by chance, however running through
xml_ppof course invalidates the signature of the individual<EntityDescriptor>s - Metadata cannot be validated to the schema (see later)
Problems loading metadata to Shibboleth SP
For perl processing, MDS output is run through xml_pp, an XML pretty-printer.
No default namespace
There is no default namespace for the outer EntitiesDescriptor, the root element. No problem with that, but there is at least one EntityDescriptor, which is not correctly namespaced (and assumes that the default namespace is urn:oasis:names:tc:SAML:2.0:metadata)
Solution:
| perl -pe 's/(<(md:)?EntitiesDescriptor)/\1 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/;'
Invalid use of RoleDescriptor
SAML Metadata Schema declares that RoleDescriptor is an abstract element, whatever it means. Shibboleth (2.0) cannot load an entity with such an element.
Solution:
| perl -pe 's/.*RoleDescriptor.*//g;'
At the time of writing, it only affects Fresco-AAI. For some unknown reason, Fresco-AAI metadata is a one-liner (even after pretty printing), so it's possible to remove it such a way. If it wasn't the case, proper XSLT would be necessary.
Invalid extension of the schema
GIdP entity contains an egmd:OnlineCADescriptor element, which is not a standard extension of the SAML schema.
Solution:
| perl -pe 's/.*OnlineCA.*//g;'
At the time of writing, it only affects GIdP. For some unknown reason, GIdP metadata is a one-liner (even after pretty printing), so it's possible to remove it such a way. If it wasn't the case, proper XSLT would be necessary.
