I'm working on integrating a cloud Splunk instance with a Shibboleth IdP, and I immediately ran into a problem. When trying to import the IdP's metadata into Splunk, I was getting:
Unable to parse the payload received as a part of idp metadata file or xml.
While I'd believe there's more detail than that logged somewhere, you don't get shell access with cloud Splunk, so that was all I got. Going line-by-line through a sample IdP metadata file from https://www.splunk.com/blog/2013/03/28/splunkweb-sso-samlv2.html, I finally found the issue: the KeyDescriptor tag has to have its use attribute set to signing, and the KeyInfo tag has to have its xmlns:ds attribute set to http://www.w3.org/2000/09/xmldsig#. So in my original metadata:
<EntityDescriptor ...>
<IDPSSODescriptor ...>
<KeyDescriptor>
<ds:KeyInfo>
...
</ds:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
Becomes:
<EntityDescriptor ...>
<IDPSSODescriptor ...>
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
...and now Splunk will happily import it.
0 comments:
Post a Comment