Uploaded image for project: 'Shibboleth User Interface'
  1. Shibboleth User Interface
  2. SHIBUI-2567

PAC4J-generated sp metadata file missing keys

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • None
    • None
    • None
    • Sprint 2023 - 5

    Description

      This is what is currently being generated in sp-metadata.xml, when shibui.pac4j.serviceProviderMetadataPath is set, and shibui.pac4j.forceServiceProviderMetadataGeneration is true. Note the md:KeyDescriptor entries are missing the certificates.

      /conf/sp-metadata.xml

      <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b6d3cb71eb40464ab4cba5a370c352912e058ad" entityID="https://unicon.net/test/shibui" validUntil="2043-04-13T18:28:05.328Z">
      		 
          <md:Extensions>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
      		 
              <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
      		 
              <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
      		 
              <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
      		 
              <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      		 
          </md:Extensions>
      		 
          <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
      		 
              <md:Extensions>
      		 
                  <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient"/>
      		 
              </md:Extensions>
      		 
              <md:KeyDescriptor use="signing"/>
      		 
              <md:KeyDescriptor use="encryption"/>
      		 
              <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
      		 
              <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
      		 
              <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
      		 
              <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
      		 
              <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
      		 
              <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
      		 
              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      		 
              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      		 
              <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient" index="0"/>
      		 
          </md:SPSSODescriptor>
      		 
      </md:EntityDescriptor>

      This is in the Unicon repository, in the testbed/authentication/shibui folder:

      server:
      		 
        use-forward-headers: true
      		 
        forward-headers-strategy: NATIVE
      		 
      spring:
      		 
        profiles:
      		 
          include:
      		 
      shibui:
      		 
        user-bootstrap-resource: file:/conf/users.csv
      		 
        roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
      		 
        pac4j-enabled: true
      		 
        pac4j:
      		 
          keystorePath: "/conf/samlKeystore.jks"
      		 
          keystorePassword: "password"
      		 
          privateKeyPassword: "password"
      		 
          serviceProviderEntityId: "https://unicon.net/test/shibui"
      		 
          serviceProviderMetadataPath: "/conf/sp-metadata.xml"
      		 
          identityProviderMetadataPath: "/conf/idp-metadata.xml"
      		 
          forceServiceProviderMetadataGeneration: true
      		 
          callbackUrl: "https://shibui.unicon.local/callback"
      		 
          maximumAuthenticationLifetime: 3600000
      		 
          postLogoutURL: "https://idp.unicon.local/idp/profile/Logout"
      		 
      ...

      Attachments

        Activity

          People

            chad.redman.3@at.internet2.edu Chad Redman
            chad.redman.3@at.internet2.edu Chad Redman
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: