How to Correct Microsoft IdP SAML Metadata for Nexus Applications

When uploading SAML metadata from a Microsoft Identity Provider (IdP) e.g. Azure AD or ADFS to either Nexus Repository Manager 3 (NXRM 3) or Nexus IQ Server, you may see one of following errors:

Invalid SAML metadata: cvc-elt.4.2: Cannot resolve 'fed:SecurityTokenServiceType' to a type definition for element 'RoleDescriptor'
Invalid SAML metadata: cvc-elt.4.2: Cannot resolve 'fed:ApplicationServiceType' to a type definition for element 'RoleDescriptor'

This is a known issue with Microsoft IdPs generating non-standard SAML metadata. 

To correct this, amend the metadata by removing the sections stated in the following table. After making these changes, save the updated metadata and re-upload to NXRM 3 or IQ Server:

 
Description Section starts with… Section ends with…

Metadata document signature

<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

</Signature>

WS-Trust & WS-Federation application service metadata

<RoleDescriptor xsi:type="fed:ApplicationServiceType"

</RoleDescriptor>

WS-Trust & WS-Federation security token service metadata

<RoleDescriptor xsi:type="fed:SecurityTokenServiceType"

</RoleDescriptor>

Reference: Step 4 of https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff849212(v=ws.10)?redirectedfrom=MSDN#to-create-a-new-trusted-provider-using-metadata
Have more questions? Submit a request

0 Comments

Article is closed for comments.