Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Situation
Access Manager Identity Server (IDP) setup and working fine - users can authenticate successfully after being redirected to enter their credentials at the IDP server. The IDP Server is also planned to serve as an Identity Provider to a trusted SAML2 Sibolleth based Service Provider (SP). The first step in establishing this trust relationship is to import the SAML2 SP metadata within the IDP. Cut and pasting the metadata for this SP into the Admin Console IDP configuration throws an error indicating that the metadata is malformed.
Resolution
Remove the <EntitiesDescriptor> tags from the current SP metadata and reimport.
The EntitiesDescriptor is used to describe multiple entities within the same metadata. Access Manager currently allows the definition for a single entity at the moment (planned to change in future). By removing the EntitiesDescriptor tag for now so that a single entity exists as shown below, the SP metadata will import successfully and SAML communication will still be valid.. The SP metadata originally included the following entry:
By cut and pasting the following modified metadata, no errors were reported and the SP initialised fine:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="adfs">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://100.150.21.137/adfs/ls/" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
The EntitiesDescriptor is used to describe multiple entities within the same metadata. Access Manager currently allows the definition for a single entity at the moment (planned to change in future). By removing the EntitiesDescriptor tag for now so that a single entity exists as shown below, the SP metadata will import successfully and SAML communication will still be valid..
<EntitiesDescriptor
Name="urn:maec:afa.edu.ie:AFAProd"
validUntil="2010-11-28T11:25:01Z"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
saml-schema-metadata-2.0.xsd urn:maec:shibboleth:metadata:1.0
shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
xmldsig-core-schema.xsd" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="adfs">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://100.150.21.137/adfs/ls/" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
</EntitiesDescriptor>
validUntil="2010-11-28T11:25:01Z"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
saml-schema-metadata-2.0.xsd urn:maec:shibboleth:metadata:1.0
shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
xmldsig-core-schema.xsd" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="adfs">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://100.150.21.137/adfs/ls/" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
</EntitiesDescriptor>
By cut and pasting the following modified metadata, no errors were reported and the SP initialised fine:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="adfs">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://100.150.21.137/adfs/ls/" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Additional Information
// snippet from the SAML metadata specs
2.3 Root Elements
A SAML metadata instance describes either a single entity or multiple entities. In the former case, the root
element MUST be <EntityDescriptor>. In the latter case, the root element MUST be
<EntitiesDescriptor>.
A SAML metadata instance describes either a single entity or multiple entities. In the former case, the root
element MUST be <EntityDescriptor>. In the latter case, the root element MUST be
<EntitiesDescriptor>.