SAML2 metadata that is signed at various element is not working. IN fact if the signing does not sign the metadata at the <EntityDescriptor> level, the import of the signed metadata fails.
You can use the following to create a sample test
The difference this one is that it signs the metadata at the SPSSODescriptor/IDPSSODescriptor level and not at the top level which some SAML2 (and also AM) assumes.
Various elements in a metadata instance can be digitally signed (as indicated by the element's inclusion of
a <ds:Signature> element), with the following benefits:
• Metadata integrity
• Authentication of the metadata by a trusted signer
A digital signature is not always required, for example if the relying party obtains the information directly
from the publishing entity directly (with no intermediaries) through a secure channel, with the entity having
authenticated to the relying party by some means other than a digital signature
At this moment the following error happens (as the ID attributes does not exists)
even if the EntityDescriptor we add ID attribute, it may still fail to validate when the Signed Elements is checked
- Generate a unsigned SAML2
- Sign it using http://xacmlinfo.org/2014/04/10/how-to-saml-generating-signature-for-saml-metadata/ (use the AM keystore so that we do not need to bother AM keystore later)
- Try to import the signed metadata (to see if it works)
- Observe import issues
Remove the Signature block from the metadata
- XML validation for ID not working for other attributes.