ShibAndEdugain

Loading metadata
Metadata downloaded from https://mds.edugain.org


 * Strange things
 * Metadata is not signed by a third party
 * Line breaks and indentation is quite by chance, however running through  of course invalidates the signature of the individual  s
 * Metadata cannot be validated to the schema (see later)

Problems loading metadata to Shibboleth SP
For perl processing, MDS output is run through, an XML pretty-printer.

Here is the command I use to load MDS output to a Shibboleth 2.0 SP: wget -O- --ca-certificate=/home/bajnokk/edugain_bundle.crt https://mds.edugain.org |xml_pp \ | perl -pe 's/(<(md:)?EntitiesDescriptor)/\1 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/; s/.*RoleDescriptor.*//g; s/.*OnlineCA.*//g; \ s/cacheDuration[^ >]*//g; ' >/tmp/mds-pp.xml

Explanation follows:

Unable to connect
For some reason, Shibboleth 2.0 cannot connect to https://mds.edugain.org. It seems to be a  issue, which is not easy to circumvent. (See this shib-users thread) Newer cURL's can handle the SSL handshake (the ones in Ubuntu Intrepid and Debian Lenny can not). So it's necessary to  the metadata.

It turned out that newer versions of Shibboleth can connect to mds.edugain.org, however the following errors prevent the metadata from being loaded directly.

No default namespace
There is no default namespace for the outer, the root element. No problem with that, but there is at least one, which is not correctly namespaced (and assumes that the default namespace is  )

Solution: | perl -pe 's/(<(md:)?EntitiesDescriptor)/\1 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/;'

Invalid use of RoleDescriptor
SAML Metadata Schema declares that RoleDescriptor is an abstract element, whatever it means. Shibboleth (2.0) cannot load an entity with such an element.

Solution: | perl -pe 's/.*RoleDescriptor.*//g;' At the time of writing, it only affects Fresco-AAI. For some unknown reason, Fresco-AAI metadata is a one-liner (even after pretty printing), so it's possible to remove it such a way. If it wasn't the case, proper XSLT would be necessary.

Invalid extension of the schema
GIdP entity contains an  element, which is not a standard extension of the SAML schema.

Solution: | perl -pe 's/.*OnlineCA.*//g;' At the time of writing, it only affects GIdP. For some unknown reason, GIdP metadata is a one-liner (even after pretty printing), so it's possible to remove it such a way. If it wasn't the case, proper XSLT would be necessary.