When uploading SAML metadata from a Microsoft Identity Provider (IdP) e.g. Azure AD or ADFS to either Nexus Repository Manager 3 (NXRM 3) or Nexus IQ Server, you may see one of following errors:
Invalid SAML metadata: cvc-elt.4.2: Cannot resolve 'fed:SecurityTokenServiceType' to a type definition for element 'RoleDescriptor'
Invalid SAML metadata: cvc-elt.4.2: Cannot resolve 'fed:ApplicationServiceType' to a type definition for element 'RoleDescriptor'
This is a known issue with Microsoft IdPs generating non-standard SAML metadata.
To correct this, amend the metadata by removing the sections stated in the following table. After making these changes, save the updated metadata and re-upload to NXRM 3 or IQ Server:
Description | Section starts with… | Section ends with… |
---|---|---|
Metadata document signature |
<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
</Signature> |
WS-Trust & WS-Federation application service metadata |
<RoleDescriptor xsi:type="fed:ApplicationServiceType" |
</RoleDescriptor> |
WS-Trust & WS-Federation security token service metadata |
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" |
</RoleDescriptor> |