Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

namespace in metadata is fluctuating #968

Open
asta-tud-deploy opened this issue Jul 24, 2024 · 2 comments
Open

namespace in metadata is fluctuating #968

asta-tud-deploy opened this issue Jul 24, 2024 · 2 comments

Comments

@asta-tud-deploy
Copy link

asta-tud-deploy commented Jul 24, 2024
edited
Loading

When using pysaml2 with djangosaml2 the namespaces in the created metadata in /saml2/metadata are changing randomly.

Code Version

Python3.11
pysaml2==7.5.0
Django==4.2.14
djangosaml2==1.9.3

Settings in django:

## SAML settings 

LOGIN_REDIRECT_URL = "/details"
LOGIN_URL = '/saml2/login'
LOGOUT_REDIRECT_URL = "/logout/"
AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend', 'djangosaml2.backends.Saml2Backend']
SAML_ACS_FAILURE_RESPONSE_FUNCTION = 'app.views.failure'

SAML_SESSION_COOKIE_NAME = 'saml_session'
SESSION_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SAML_CREATE_UNKNOWN_USER = True
SAML_USE_NAME_ID_AS_USERNAME = False
SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'username'

from os import path
import saml2
import saml2.saml
BASEDIR = path.dirname(path.abspath(__file__))

#SAML2_IDPHINT_PARAM = 'idphint'
SAML_DEFAULT_BINDING = saml2.BINDING_HTTP_REDIRECT
SAML_LOGOUT_REQUEST_PREFERRED_BINDING = saml2.BINDING_HTTP_REDIRECT
## following are usually loaded from env, but copied it in for better understanding.
SAML_HOST_URL = '${PROTOCOL}://${DOMAIN}/saml2'
SAML_ENTITYID = 'https://sso.tu-darmstadt.de/idp'
SAML_IDP_URL = 'https://login.tu-darmstadt.de/idp'
SAML_METADATA_URL = 'https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml'


SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': '/usr/bin/xmlsec1',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': SAML_HOST_URL + '/metadata/',

  # directory with attribute mapping
  'attribute_map_dir': path.join(BASEDIR, 'attribute-maps'),

  # Permits to have attributes not configured in attribute-mappings
  # otherwise...without OID will be rejected
  'allow_unknown_attributes': True,

  # this block states what services we provide
  'service': {
      'sp' : {
          'name': str(os.getenv('SAML_SYSTEM_NAME')),
          'name_id_format': saml2.saml.NAMEID_FORMAT_TRANSIENT,

          # For Okta add signed logout requests. Enable this:
          # "logout_requests_signed": True,

          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  (SAML_HOST_URL + '/acs/',
                   saml2.BINDING_HTTP_POST),
                  ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  # Disable next two lines for HTTP_REDIRECT for IDP's that only support HTTP_POST. Ex. Okta:
                  (SAML_HOST_URL + '/ls/',
                   saml2.BINDING_HTTP_REDIRECT),
                  (SAML_HOST_URL + '/ls/post',
                   saml2.BINDING_HTTP_POST),
                  ],
              },

          'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
          'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,

           # Mandates that the identity provider MUST authenticate the
           # presenter directly rather than rely on a previous security context.
          'force_authn': False,

           # Enable AllowCreate in NameIDPolicy.
          'name_id_format_allow_create': True,

           # attributes that this project need to identify a user
          'required_attributes': ['urn:oid:2.5.4.42',
                                  'urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1',
                                  'urn:oid:2.5.4.4'],


           # attributes that may be useful to have but not required
          'optional_attributes': [
              'urn:oid:0.9.2342.19200300.100.1.3',
          ],

          'want_response_signed': True,
          'authn_requests_signed': True,
          'logout_requests_signed': True,
          # Indicates that Authentication Responses to this SP must
          # be signed. If set to True, the SP will not consume
          # any SAML Responses that are not signed.
          'want_assertions_signed': True,

          'only_use_keys_in_metadata': True,

          # When set to true, the SP will consume unsolicited SAML
          # Responses, i.e. SAML Responses for which it has not sent
          # a respective SAML Authentication Request.
          'allow_unsolicited': False,

          # in this section the list of IdPs we talk to are defined
          # This is not mandatory! All the IdP available in the metadata will be considered instead.
          'idp': {
              # we do not need a WAYF service since there is
              # only an IdP defined here. This IdP should be
              # present in our metadata

              # the keys of this dictionary are entity ids
              SAML_ENTITYID + '/metadata': {
                  'single_sign_on_service': {
                      saml2.BINDING_HTTP_REDIRECT: SAML_IDP_URL + '/profile/SAML2/Redirect/SSO',
                      },
                  'single_logout_service': {
                      saml2.BINDING_HTTP_REDIRECT: SAML_IDP_URL + '/profile/SAML2/Redirect/SLO',
                      },
                  },
              },
          },
      },

  # where the remote metadata is stored, local, remote or mdq server.
  # One metadatastore or many ...
  'metadata': {
      'remote': [{"url": SAML_METADATA_URL },],
      #'remote': [{"url": "https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml"},],
      },

  # set to 1 to output debugging information
  'debug': 1,

  # Signing
  'key_file': path.join(BASEDIR, 'private.key'),  # private part
  'cert_file': path.join(BASEDIR, 'public.pem'),  # public part

  # Encryption
  'encryption_keypairs': [{
      'key_file': path.join(BASEDIR, 'private.key'),  # private part
      'cert_file': path.join(BASEDIR, 'public.pem'),  # public part
  }],

  # own metadata settings
  'contact_person': [
      {'given_name': str(os.getenv('SAML_CONTACT_FIRST_NAME')),
       'sur_name': str(os.getenv('SAML_CONTACT_NAME')),
       'company': str(os.getenv('SAML_CONTACT_ORGANIZATION')),
       'email_address': str(os.getenv('SAML_CONTACT_MAIL')),
       'contact_type': str(os.getenv('SAML_CONTACT_TYPE'))},
      ],
  # you can set multilanguage information here
  'organization': {
      'name': [(str(os.getenv('SAML_ORGANIZATION_NAME')), str(os.getenv('LANGUAGE')))],
      'display_name': [(str(os.getenv('SAML_ORGANIZATION_DISPLAY_NAME')), str(os.getenv('LANGUAGE')))],
      'url': [(str(os.getenv('SAML_ORGANIZATION_URL')), str(os.getenv('LANGUAGE')))],
      },
  }

# map saml attributes to user attributes
# most important: our username is the matriculation number
SAML_ATTRIBUTE_MAPPING = {
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_USERNAME')): ('username', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_EMAIL')): ('email', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_FIRST_NAME')): ('first_name', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_LAST_NAME')): ('last_name', ),
}

IDP-Metadata: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml
Entityid-Metadata: https://sso.tu-darmstadt.de/idp/metadata

Expected Behavior

namespace is not changing
This is a problem because our IDP imports our metadata regularly and the namespace change causes the alerting to go off...

Current Behavior

The namespaces change randomly between md: and nsX: sometimes with every reload, but only after the first time somebody logged in (before it stays as nsX:

Here are the two different types:

<md:EntityDescriptor entityID="https://9euro.asta.tu-darmstadt.de/saml2/metadata/">
<md:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/post"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/acs/" index="1"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>

2nd Option

<ns0:EntityDescriptor entityID="https://9euro.asta.tu-darmstadt.de/saml2/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/post"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/acs/" index="1"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>

Steps to Reproduce

Here is a link, just reload it for a couple of times:
https://9euro.asta.tu-darmstadt.de/saml2/metadata/

Any ideas or hints?

Thanks in advance :)
@asta-tud-deploy

This comment was marked as outdated.

Sign in to view
@asta-tud-deploy
Copy link
Author

asta-tud-deploy commented Jul 25, 2024
edited
Loading

false positive, still happening -> reopening.
Should have tested more than 10 times... /o\

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asta-tud-deploy