Shibboleth SP, Azure AD IDP - no metadata found.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP, Azure AD IDP - no metadata found.

Dan MacMillan
Hello,

I am a total neophyte when it comes to SAML, Shibboleth, and Azure AD. I have done a lot of reading and I think I have a broad understanding of the moving parts, but it is not working for me.

Since I am new to everything, I decided a good plan was to start with a fully working environment in the form of the dockerized-idp-testbed from GitHub, and then swap out each leg with the piece I really want to use. I got the dockerized-idp-testbed working. I made changes to it, and to our DNS, firewall rules etc. to publish it on the internet, since it will need to be publicly accessible in order for Azure to talk to it. That is working.

Now I am trying to substitute Azure AD for Shibboleth IDP.

I uploaded my SP metadata into Azure. I downloaded the Azure metadata and put it into the "sp/etc-shibboleth/idp-metadata.xml" file in the testbed, completely replacing the contents of that file. I edited the shibboleth2.xml file, setting the entityID attribute on the SSO element to the value the Azure AD control panel is telling me to use. This value agrees with the value of the entityID attribute in the EntityDescriptor element of the idp-metadata.xml file.

This is the error I am getting (from shibd.log)

2018-06-28 21:23:00 WARN Shibboleth.SSO.SAML2 [1]: no metadata found, can't establish identity of issuer (https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/)

This is what the SSO attribute of shibboleth2.xml looks like:

            <SSO entityID="https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/">
              SAML2 SAML1
            </SSO>

At this point I am completely flummoxed. There is another entityID on the ApplicationDefaults but I left it looking like this:

    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"

I don't think I have to change that, do I? I understand it could be considered "bad" to leave it at this bogus value, but this is a test environment for now and I want to minimize my changes so I understand how this all works.  My understanding is that the entityID on the SSO element is how it finds the metadata. There is a MetaData provider element in shibboleth2.xml that looks like this (I did not change this):

        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>

Since the idp-metadata file it is pointing to contains the Azure metadata, and since that metadata has an entityID that agrees with the SSO element, I don't understand why this is not working.

I would really appreciate any help.

--
Dan MacMillan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP, Azure AD IDP - no metadata found.

Dan MacMillan
Actually now that I take a closer look at the logs, I see that it couldn't parse the metadata XML file at all, which must be the real problem.

2018-06-28 22:11:40 DEBUG OpenSAML.Metadata.XML : using local resource (/etc/shibboleth/idp-metadata.xml), will monitor for changes
2018-06-28 22:11:40 DEBUG OpenSAML.Metadata.XML : loading configuration from external resource...
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 471, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 1665, message: no declaration found for element 'fed:ClaimTypesOffered'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 7889, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8133, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8360, message: element 'fed:ClaimTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8611, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 9800, message: no declaration found for element 'fed:TargetScopes'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10015, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10257, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10484, message: element 'fed:TargetScopes' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2018-06-28 22:11:40 ERROR OpenSAML.Metadata.XML : error while loading resource (/etc/shibboleth/idp-metadata.xml): XML error(s) during parsing, check log for specifics
2018-06-28 22:11:40 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics

Dan MacMillan | Integration Specialist
Emerald Associates Inc.

Tel: 403.686.7100 ext. 8930



-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Dan MacMillan
Sent: Thursday, June 28, 2018 15:56
To: [hidden email]
Subject: Shibboleth SP, Azure AD IDP - no metadata found.

Hello,

I am a total neophyte when it comes to SAML, Shibboleth, and Azure AD. I have done a lot of reading and I think I have a broad understanding of the moving parts, but it is not working for me.

Since I am new to everything, I decided a good plan was to start with a fully working environment in the form of the dockerized-idp-testbed from GitHub, and then swap out each leg with the piece I really want to use. I got the dockerized-idp-testbed working. I made changes to it, and to our DNS, firewall rules etc. to publish it on the internet, since it will need to be publicly accessible in order for Azure to talk to it. That is working.

Now I am trying to substitute Azure AD for Shibboleth IDP.

I uploaded my SP metadata into Azure. I downloaded the Azure metadata and put it into the "sp/etc-shibboleth/idp-metadata.xml" file in the testbed, completely replacing the contents of that file. I edited the shibboleth2.xml file, setting the entityID attribute on the SSO element to the value the Azure AD control panel is telling me to use. This value agrees with the value of the entityID attribute in the EntityDescriptor element of the idp-metadata.xml file.

This is the error I am getting (from shibd.log)

2018-06-28 21:23:00 WARN Shibboleth.SSO.SAML2 [1]: no metadata found, can't establish identity of issuer (https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/)

This is what the SSO attribute of shibboleth2.xml looks like:

            <SSO entityID="https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/">
              SAML2 SAML1
            </SSO>

At this point I am completely flummoxed. There is another entityID on the ApplicationDefaults but I left it looking like this:

    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"

I don't think I have to change that, do I? I understand it could be considered "bad" to leave it at this bogus value, but this is a test environment for now and I want to minimize my changes so I understand how this all works.  My understanding is that the entityID on the SSO element is how it finds the metadata. There is a MetaData provider element in shibboleth2.xml that looks like this (I did not change this):

        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>

Since the idp-metadata file it is pointing to contains the Azure metadata, and since that metadata has an entityID that agrees with the SSO element, I don't understand why this is not working.

I would really appreciate any help.

--
Dan MacMillan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP, Azure AD IDP - no metadata found.

Dan MacMillan
Setting the validate attribute on the MetaDataProvider element to false resolved my issue.

Dan MacMillan | Integration Specialist
Emerald Associates Inc.

Tel: 403.686.7100 ext. 8930



-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Dan MacMillan
Sent: Thursday, June 28, 2018 16:20
To: Shib Users
Subject: RE: Shibboleth SP, Azure AD IDP - no metadata found.

Actually now that I take a closer look at the logs, I see that it couldn't parse the metadata XML file at all, which must be the real problem.

2018-06-28 22:11:40 DEBUG OpenSAML.Metadata.XML : using local resource (/etc/shibboleth/idp-metadata.xml), will monitor for changes
2018-06-28 22:11:40 DEBUG OpenSAML.Metadata.XML : loading configuration from external resource...
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 471, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 1665, message: no declaration found for element 'fed:ClaimTypesOffered'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 7889, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8133, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8360, message: element 'fed:ClaimTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 8611, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 9800, message: no declaration found for element 'fed:TargetScopes'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10015, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10257, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2018-06-28 22:11:40 ERROR XMLTooling.ParserPool : error on line 1, column 10484, message: element 'fed:TargetScopes' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2018-06-28 22:11:40 ERROR OpenSAML.Metadata.XML : error while loading resource (/etc/shibboleth/idp-metadata.xml): XML error(s) during parsing, check log for specifics
2018-06-28 22:11:40 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics

Dan MacMillan | Integration Specialist
Emerald Associates Inc.

Tel: 403.686.7100 ext. 8930



-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Dan MacMillan
Sent: Thursday, June 28, 2018 15:56
To: [hidden email]
Subject: Shibboleth SP, Azure AD IDP - no metadata found.

Hello,

I am a total neophyte when it comes to SAML, Shibboleth, and Azure AD. I have done a lot of reading and I think I have a broad understanding of the moving parts, but it is not working for me.

Since I am new to everything, I decided a good plan was to start with a fully working environment in the form of the dockerized-idp-testbed from GitHub, and then swap out each leg with the piece I really want to use. I got the dockerized-idp-testbed working. I made changes to it, and to our DNS, firewall rules etc. to publish it on the internet, since it will need to be publicly accessible in order for Azure to talk to it. That is working.

Now I am trying to substitute Azure AD for Shibboleth IDP.

I uploaded my SP metadata into Azure. I downloaded the Azure metadata and put it into the "sp/etc-shibboleth/idp-metadata.xml" file in the testbed, completely replacing the contents of that file. I edited the shibboleth2.xml file, setting the entityID attribute on the SSO element to the value the Azure AD control panel is telling me to use. This value agrees with the value of the entityID attribute in the EntityDescriptor element of the idp-metadata.xml file.

This is the error I am getting (from shibd.log)

2018-06-28 21:23:00 WARN Shibboleth.SSO.SAML2 [1]: no metadata found, can't establish identity of issuer (https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/)

This is what the SSO attribute of shibboleth2.xml looks like:

            <SSO entityID="https://sts.windows.net/48f50b92-8209-4bbd-9e4e-49fb432e8d73/">
              SAML2 SAML1
            </SSO>

At this point I am completely flummoxed. There is another entityID on the ApplicationDefaults but I left it looking like this:

    <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"

I don't think I have to change that, do I? I understand it could be considered "bad" to leave it at this bogus value, but this is a test environment for now and I want to minimize my changes so I understand how this all works.  My understanding is that the entityID on the SSO element is how it finds the metadata. There is a MetaData provider element in shibboleth2.xml that looks like this (I did not change this):

        <MetadataProvider type="XML" validate="true" file="idp-metadata.xml"/>

Since the idp-metadata file it is pointing to contains the Azure metadata, and since that metadata has an entityID that agrees with the SSO element, I don't understand why this is not working.

I would really appreciate any help.

--
Dan MacMillan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP, Azure AD IDP - no metadata found.

Cantor, Scott E.
On 6/28/18, 6:34 PM, "users on behalf of Dan MacMillan" <[hidden email] on behalf of [hidden email]> wrote:

> Setting the validate attribute on the MetaDataProvider element to false resolved my issue.

That's because Microsoft defined their use of SAML metadata in ways that rely on any consumer having a schema for their extensions on hand, which the SP obviously does not.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP, Azure AD IDP - no metadata found.

Peter Schober
* Cantor, Scott <[hidden email]> [2018-06-29 17:41]:
> On 6/28/18, 6:34 PM, "users on behalf of Dan MacMillan" <[hidden email] on behalf of [hidden email]> wrote:
>
> > Setting the validate attribute on the MetaDataProvider element to false resolved my issue.
>
> That's because Microsoft defined their use of SAML metadata in ways
> that rely on any consumer having a schema for their extensions on
> hand, which the SP obviously does not.

For the OP: I don't have an example handy for what's inside their
md:RoleDescriptor but I think the UKf schema collection should have a
copy: https://github.com/ukf/ukf-meta/tree/master/mdx/schema

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP, Azure AD IDP - no metadata found.

Cantor, Scott E.
On 6/29/18, 11:49 AM, "users on behalf of Peter Schober" <[hidden email] on behalf of [hidden email]> wrote:

> For the OP: I don't have an example handy for what's inside their
> md:RoleDescriptor but I think the UKf schema collection should have a
> copy: https://github.com/ukf/ukf-meta/tree/master/mdx/schema

I'll take a look, I could probably suck them into the next release just to prevent wasted time on this. If they're stable and published anyway.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SP, Azure AD IDP - no metadata found.

Dan MacMillan
In reply to this post by Peter Schober
Thanks. I don't know how I would install these though. As I understand it, this is optional? Validation helps me from shooting myself in the foot but it won't prevent the system from working -- assuming I myself make sure it is valid, correct?

Dan MacMillan | Integration Specialist
Emerald Associates Inc.

Tel: 403.686.7100 ext. 8930


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Peter Schober
Sent: Friday, June 29, 2018 09:49
To: [hidden email]
Subject: Re: Shibboleth SP, Azure AD IDP - no metadata found.

* Cantor, Scott <[hidden email]> [2018-06-29 17:41]:
> On 6/28/18, 6:34 PM, "users on behalf of Dan MacMillan" <[hidden email] on behalf of [hidden email]> wrote:
>
> > Setting the validate attribute on the MetaDataProvider element to false resolved my issue.
>
> That's because Microsoft defined their use of SAML metadata in ways
> that rely on any consumer having a schema for their extensions on
> hand, which the SP obviously does not.

For the OP: I don't have an example handy for what's inside their
md:RoleDescriptor but I think the UKf schema collection should have a
copy: https://github.com/ukf/ukf-meta/tree/master/mdx/schema

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth SP, Azure AD IDP - no metadata found.

Peter Schober
* Dan MacMillan <[hidden email]> [2018-07-05 00:17]:
> Thanks. I don't know how I would install these though.

You'd copy the missing schema file to a place the software is looking
for them?

> As I understand it, this is optional? Validation helps me from
> shooting myself in the foot but it won't prevent the system from
> working -- assuming I myself make sure it is valid, correct?

I don't follow. Yes, validation can be disabled (as you have found out
yourself). But you've also found out that enabling validation *will*
prevent your system from working even if it is valid, at least in the
one case where certain use of extension schemas is being made that
will only validate successfully if you have the right XSD schema files
in place (which you didn't, because the Shibboleth software does not
ship those).

But it's hard to say anything useful about validation at the level of
the SAML implementation without knowing what metadata is being
consumed and how that is being curated.

Of course you can validate metadata in other ways, see
CONCEPT/MetadataCorrectness in the shibboleth wiki.
And if you're producing metadata yourself for others to consume you
better make sure it's schema-valid, of course.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]