0 Replies Latest reply: Mar 6, 2011 12:05 AM by 845113 RSS

    Unable to import SP metadata with xmlsig namespace

    845113
      I am trying to setup my OpenAM instance as an SP that requires signed assertions from the IdP.
      I created a hosted SP on the OpenAM console and selected signing of assertions.
      After I export the SP metadata into a file I find that ssoadm fails to import the SP metdata
      since it finds it XML malformed.

      How do I make ssoad aware of ds: namespace in metadata? Adding the ds xmlns in the preamble did not help.

      My SP metadata:

      # cat sp.xml
      <EntityDescriptor entityID="myServiceProvider" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

      <KeyDescriptor use="signing">
      <ds:KeyInfo>
      <:KeyName>tomcat</ds:KeyName>
      <ds:X509Data>
      <ds:X509SubjectName>/C=US/ST=CA/L=SJ/O=XXX/OU=XXX/CN=ravioli.xxx.com</ds:X509SubjectName>
      <ds:X509IssuerSerial>
      <ds:X509IssuerName>ravioli.xxx.com</ds:X509IssuerName>
      <ds:X509SerialNumber>4D7091C9</ds:X509SerialNumber>
      </ds:X509IssuerSerial>
      <ds:X509Certificate>[...elided...] </ds:X509Certificate>

      [...]
      </EntityDescriptor>
      #

      Here is how ssoadm rejects it:

      # /usr/local/opensso/bin/ssoadm import-entity meta-data-file sp.xml extended-data-file spP.xml cot myCircleOfTrust spec saml2 verbose      debug -u amAdmin -f /tmp/p
      Process Request ...
      Constructing Request Context...
      Validating mandatory options...
      Processing Sub Command ...

      Executing class, com.sun.identity.federation.cli.ImportMetaData.
      Authenticating...
      Authenticated.
      DefaultValidationEventHandler: [ERROR]: Unexpected element {urn:oasis:names:tc:SAML:2.0:metadata}:KeyInfo
      Location:
      ImportMetaData.importMetaData
      javax.xml.bind.UnmarshalException: Unexpected element {urn:oasis:names:tc:SAML:2.0:metadata}:KeyInfo
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXUnmarshallerHandlerImpl.handleEvent(SAXUnmarshallerHandlerImpl.java:580)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.AbstractUnmarshallingEventHandlerImpl.reportError(AbstractUnmarshallingEventHandlerImpl.java:139)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.AbstractUnmarshallingEventHandlerImpl.reportError(AbstractUnmarshallingEventHandlerImpl.java:136)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.AbstractUnmarshallingEventHandlerImpl.unexpectedEnterElement(AbstractUnmarshallingEventHandlerImpl.java:147)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.AbstractUnmarshallingEventHandlerImpl.enterElement(AbstractUnmarshallingEventHandlerImpl.java:60)
      at com.sun.identity.saml2.jaxb.metadata.impl.KeyDescriptorTypeImpl$Unmarshaller.enterElement(KeyDescriptorTypeImpl.java:326)
      at com.sun.identity.saml2.jaxb.metadata.impl.KeyDescriptorElementImpl$Unmarshaller.enterElement(KeyDescriptorElementImpl.java:162)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.SAXUnmarshallerHandlerImpl.startElement(SAXUnmarshallerHandlerImpl.java:126)
      at org.xml.sax.helpers.XMLFilterImpl.startElement(XMLFilterImpl.java:527)
      at com.sun.xml.bind.unmarshaller.InterningXMLReader.startElement(InterningXMLReader.java:74)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:239)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:276)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:245)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:276)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:245)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:276)
      at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:245)
      at com.sun.xml.bind.unmarshaller.DOMScanner.parse(DOMScanner.java:149)
      at com.sun.identity.saml2.jaxb.assertion.impl.runtime.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:169)
      at com.sun.identity.saml2.meta.SAML2MetaUtils.convertNodeToJAXB(SAML2MetaUtils.java:177)
      at com.sun.identity.federation.cli.ImportMetaData.getSAML2EntityDescriptorElement(ImportMetaData.java:408)
      at com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:205)
      at com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:126)
      at com.sun.identity.cli.SubCommand.execute(SubCommand.java:291)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:212)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:134)
      at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:584)
      at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:182)
      at com.sun.identity.cli.CommandManager.main(CommandManager.java:146)

      com.sun.identity.cli.CLIException: Entity descriptor in file, sp.xml had invalid syntax.
      at com.sun.identity.federation.cli.ImportMetaData.getSAML2EntityDescriptorElement(ImportMetaData.java:420)
      at com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:205)
      at com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:126)
      at com.sun.identity.cli.SubCommand.execute(SubCommand.java:291)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:212)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:134)
      at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:584)
      at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:182)
      at com.sun.identity.cli.CommandManager.main(CommandManager.java:146)
      CommandManager.<init>
      com.sun.identity.cli.CLIException: Entity descriptor in file, sp.xml had invalid syntax.
      at com.sun.identity.federation.cli.ImportMetaData.getSAML2EntityDescriptorElement(ImportMetaData.java:420)
      at com.sun.identity.federation.cli.ImportMetaData.handleSAML2Request(ImportMetaData.java:205)
      at com.sun.identity.federation.cli.ImportMetaData.handleRequest(ImportMetaData.java:126)
      at com.sun.identity.cli.SubCommand.execute(SubCommand.java:291)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:212)
      at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:134)
      at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:584)
      at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:182)
      at com.sun.identity.cli.CommandManager.main(CommandManager.java:146)

      Entity descriptor in file, sp.xml had invalid syntax.

      #

      How can I make ssoadm do a ds: namespace aware parsing of SP metadata?

      many thank,

      /Kobe