Problem with metadata import - signing cert

[jacek-swiatowiak]

Problem with metadata import

I think there is a thumbrint misconfiguration

7/4/2021 1:48:12 PM: Setting CachedMetadataFile to: C:\ADFSToolkit\cache\LAN-NET ADFS-metadata.cached.xml 7/4/2021 1:48:12 PM: Metadata file size is 70497 Write-ADFSTkVerboseLog : A parameter cannot be found that matches parameter name 'MajorFault'. At C:\Program Files\WindowsPowerShell\Modules\ADFSToolkit\2.0.1\Private\Verify-ADFSTkSigningCert.ps1:14 char:90

• ... (Get-ADFSTkLanguageText importCouldNotConvertSigningSert) -MajorFault

• 
  + CategoryInfo          : InvalidArgument: (:) [Write-ADFSTkVerboseLog], ParameterBindingException
  + FullyQualifiedErrorId : NamedParameterNotFound,Write-ADFSTkVerboseLog

[teamktown]

Thanks for the report. It will help to provide the metadata file (or url to it) being used along with your configuration. ADFSToolkit will not ingest/process an aggregate that is not signed or not properly structured.

ADFSToolkit also does not yet have formal support for MDQ just yet so it will not validate an MDQ endpoint. With a bytes size of 70497 it is unlikely this is an MDQ problem.

Have you verified that the XML metadata aggregate being used is signed?

Thank you.

[jacek-swiatowiak]

I'm not sure if i'm duing everithing in correct order.

I used cmdlet New-ADFSTkInstitutionConfiguration, and it creates a file

This is ADFS 2019 with selfsinges certificated used for signing and encrypting claims

[jacek-swiatowiak]

Here is screenhot from this xml file

[jacek-swiatowiak]

There is a file in folder

C:\ADFSToolkit\cache\LAN-NET ADFS-metadata.cached.xml

[teamktown]

Thank you, this helps. From what you provided, it appears you are using your metadata url to attempt to trust yourself. ADFSToolkit is an add-on to ADFS and then assists importing/ingesting metadata from a federation aggregate that contains relying parties to add into ADFS.

The URL for metadata you provided appears to be your ADFS' instance metadata, not a federation aggregate and that's why it cannot validate it. It is not a supported or desired use case for ADFSToolkit to self ingest an ADFS Servers metadata aggregate.

For instance, instead of using your sts.lan.net.pl metadata url for your ADFS server you would use Poland's PIONEER aggregate of 'http://aai.pionier.net.pl/pionierid.xml' as seen here: https://aai.pionier.net.pl/en/index.php?page=technical and with a fingerpint (likely the SHA256 one).

The ADFSToolkit team has not connected with the Poland federation to see if they support this configuration however.

Where to next:

• Understanding what you are trying to do is a big first step. It would help understand if there's really an issue or if what you are trying to do should be done via another approach. Please share what you are trying to do.
• I hope the observations clarify that the URL you used for the metadata is not the right one. It needs to be a signed aggregate containing one or more relying parties that are not necessarily one's own ADFS server.

Thanks!

[jacek-swiatowiak]

Hello

Thanks. Now I’ve got it what’s going.

A few Polish universities now trying to connect to edugain/Erasmus+ federation services.

And these universities in their internal environment use ADFS (2016/2019)

So (this configuration) is only for test now, but in the next week we will try to configure production environment for one polish marine university:

https://umg.edu.pl/

Their adfs is working now, and the access to edugain is also done. Umg will be at the beginning ID providerem (local Active Directory – for student and staff)

Z poważaniem, Jacek Światowiak | Architekt Systemów IT | APN Promise S.A. | ul. Domaniewska 44a, 02-672 Warszawa | kom. +48 602 277 248 | tel. +4822 35 51 618 | fax +4822 35 51 699

[signature_952984722]

From: teamktown @.> Sent: Sunday, July 4, 2021 3:40 PM To: fedtools/adfstoolkit @.> Cc: jacek-swiatowiak @.>; Author @.> Subject: Re: [fedtools/adfstoolkit] Problem with metadata import - signing cert (#58)

Thank you, this helps. From what you provided, it appears you are using your metadata url to attempt to trust yourself. ADFSToolkit is an add-on to ADFS and then assists importing/ingesting metadata from a federation aggregate that contains relying parties to add into ADFS.

The URL for metadata you provided appears to be your ADFS' instance metadata, not a federation aggregate and that's why it cannot validate it. It is not a supported or desired use case for ADFSToolkit to self ingest an ADFS Servers metadata aggregate.

For instance, instead of using your sts.lan.net.pl metadata url for your ADFS server you would use Poland's PIONEER aggregate of 'http://aai.pionier.net.pl/pionierid.xml' as seen here: https://aai.pionier.net.pl/en/index.php?page=technical and with a fingerpint (likely the SHA256 one).

The ADFSToolkit team has not connected with the Poland federation to see if they support this configuration however.

Where to next:

• Understanding what you are trying to do is a big first step. It would help understand if there's really an issue or if what you are trying to do should be done via another approach. Please share what you are trying to do.
• I hope the observations clarify that the URL you used for the metadata is not the right one. It needs to be a signed aggregate containing one or more relying parties that are not necessarily one's own ADFS server.

Thanks!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/fedtools/adfstoolkit/issues/58#issuecomment-873593078, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUXDRCWLILCIWSWSWLS6I4TTWBQEPANCNFSM47ZDW7QA.

[teamktown]

Good to know. Also, if you have some default settings for the Poland configuration, please pass them on to us. They can be added into the federation-defaults https://github.com/fedtools/federation-settings which can do some of the settings automatically and make it much easier.
Sounds like the issue is resolved or at least better understood and will consider it closed if no further comments.

[jacek-swiatowiak]

Not quite because now I've got another error

Attribute Memory Cache cleared! 7/4/2021 4:00:39 PM: Import-ADFSTkMetadata path: C:\Program Files\WindowsPowerShell\Modules\ADFSToolkit\2.0.1 7/4/2021 4:00:39 PM: Setting SPHashFile to: C:\ADFSToolkit\cache\Pionier.Id-SPHashfile.xml 7/4/2021 4:00:39 PM: Setting CachedMetadataFile to: C:\ADFSToolkit\cache\Pionier.Id-metadata.cached.xml 7/4/2021 4:00:44 PM: Metadata file size is 67058099 7/4/2021 4:00:44 PM: Comparing aggregate certificate hash of: 49873646B28C05123F6409E1EF5E15D423CB6399977D4529761946CD74371AE5 to 49873646B28C05123F6409E1EF5E15D423CB6399977D4529761946CD74371AE5 No SP's found! At C:\Program Files\WindowsPowerShell\Modules\ADFSToolkit\2.0.1\Private\Write-ADFSTkLog.ps1:270 char:28

• if ($MajorFault) { throw $Message }

• 
  + CategoryInfo          : OperationStopped: (No SP's found!:String) [], RuntimeException
  + FullyQualifiedErrorId : No SP's found!

[jacek-swiatowiak]

On pionier site there are some usefull information

https://aai.pionier.net.pl/index.php?page=techniczne