Debatindlæg | Digitaliser.dk

Loading…

Tilbage

SPMetaData and Migration to OIOSAML 3

Zoran Avtarovski

17. maj 2022, 12:27

Hi Guys,

We have started the process of migrating to OIOSAML3 and as part of that we need to upload our SPMetaData file to the administrator portal. I remember with OIOSAML 2 the webapp included a generator which generated the metadata file, but I couldn't see that in the new sample app.

I tried generating the file manually uising the samples as a guide but it failed validation on the administrator portal with the errors below, which seemed strange as the file was similar to the samples.

As always any assistance would be appreciated.

Zoran

Rule

Message

AssertionConsumerServiceBinding

Error: The assertion consumer service binding is not found. The only allowed binding is: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")

AttributeNameFormat

Error: The attribute name format is missing. The only allowed value is NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

AttributeValidation

Error: The following mandatory attribute is missing: https://data.gov.dk/model/core/specVersion (SpecVer)

AttributeValidation

Error: The following mandatory attribute is missing: https://data.gov.dk/concept/core/nsis/loa (Level Of Assurance)

AttributeValidation

Error: The following mandatory attribute is missing: https://data.gov.dk/model/core/eid/professional/cvr (CVRnumberIdentifier)

AttributeValidation

Error: The following mandatory attribute is missing: https://data.gov.dk/model/core/eid/professional/orgName (organizationName)

ValidNameFormatId

Error(Line 76): It is not allowed to specify more than one NameIdFormat.

WebSsoSchema

Error (line: 77):The element IDPSSODescriptor in namespace urn:oasis:names:tc:SAML:2.0:metadata has invalid child element NameIDFormat in namespace urn:oasis:names:tc:SAML:2.0:metadata. List of possible elements expected: SingleSignOnService, NameIDMappingService, AssertionIDRequestService, AttributeProfile in namespace urn:oasis:names:tc:SAML:2.0:metadata as well as Attribute in namespace urn:oasis:names:tc:SAML:2.0:assertion.

Hi Guys,
We have started the process of migrating to OIOSAML3 and as part of
 that we need to upload our SPMetaData file to the administrator
 portal. I remember with OIOSAML 2 the webapp included a generator
 which generated the metadata file, but I couldn't see that in the new
 sample app. 
I tried generating the file manually uising the samples as a guide
 but it failed validation on the administrator portal with the errors
 below, which seemed strange as the file was similar to the samples. 
As always any assistance would be appreciated.
 
Zoran
 

 Rule

 Message
AssertionConsumerServiceBinding
Error: The assertion consumer service binding is not found. The only
 allowed binding is: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")
AttributeNameFormat
Error: The attribute name format is missing. The only allowed value
 is NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
AttributeValidation
Error: The following mandatory attribute is missing: <a
 href="https://data.gov.dk/model/core/specVersion">https://data.gov.dk/model/core/specVersion</a> (SpecVer)
AttributeValidation
Error: The following mandatory attribute is missing: <a
 href="https://data.gov.dk/concept/core/nsis/loa">https://data.gov.dk/concept/core/nsis/loa</a>
 (Level Of Assurance)
AttributeValidation
Error: The following mandatory attribute is missing: <a
 href="https://data.gov.dk/model/core/eid/professional/cvr">https://data.gov.dk/model/core/eid/professional/cvr</a> (CVRnumberIdentifier)
AttributeValidation
Error: The following mandatory attribute is missing: <a
 href="https://data.gov.dk/model/core/eid/professional/orgName">https://data.gov.dk/model/core/eid/professional/orgName</a> (organizationName)
ValidNameFormatId
Error(Line 76): It is not allowed to specify more than one NameIdFormat.
WebSsoSchema
Error (line: 77):The element IDPSSODescriptor in namespace
 urn:oasis:names:tc:SAML:2.0:metadata has invalid child element
 NameIDFormat in namespace urn:oasis:names:tc:SAML:2.0:metadata. List
 of possible elements expected: SingleSignOnService,
 NameIDMappingService, AssertionIDRequestService, AttributeProfile in
 namespace urn:oasis:names:tc:SAML:2.0:metadata as well as Attribute in
 namespace urn:oasis:names:tc:SAML:2.0:assertion.

Log ind for at besvare

Morten D. Bech

17. maj 2022, 15:30

Hi Zoran,

Please remember that you need to use OIO SAML 3 reference implementation package in either dotNET or Java. Both of these have implemented endpoints for generating metadata files which can be uploaded to the Administration of NemLog-in. Please refer to the documentation of the respective implementations:

You can read the latest version (as of writing this) of the OIO SAML 3 profile at https://www.digitaliser.dk/resource/6508977 which states the requirements for the metadata, which all of the above errors originate from.

Regards,
Morten D. Bech

Log ind for at besvare

Zoran Avtarovski

18. maj 2022, 4:19

Thanks Morten,

I can't believe I missed the top link. II was able to successfully generate the file.