JISCMail - JISC-SHIBBOLETH Archives

Hi Matthew,

I'm not sure if it's just your email client, or if it's in the actual file, but there seems to be an extraneous Unicode character just before your </rp:RelyingParty> that may not be visible in many editors/fonts.

Might be worth a try just deleting that.

John Gilbertson
Computing Services Department
The University of Liverpool

-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Matthew Slowe
Sent: 13 February 2013 12:34
To: [log in to unmask]
Subject: Element 'RelyingParty' cannot have character [children]

I am trying to set up a new IdP from scratch... 

With 2.3.8 (and downgrading to 2.3.6), I am getting the following error while starting up:

12:27:12.317 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.3: Element 'rp:RelyingParty' cannot have character [children], because the type's content type is element-only.

I have added a manual RelyingParty element (for Office365) inside the <rp:RelyingPartGroup> element:

    <!-- Microsoft Windows Azure AD -->
    <rp:RelyingParty id="urn:federation:MicrosoftOnline" 
                     provider="https://manasseh.kent.ac.uk/idp/a/shibboleth" 
                     defaultSigningCredentialRef="IdPCredential"
                      nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                     >
            <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
                                  signAssertions="conditional"
                                  encryptAssertions="never"
                                  encryptNameIds="never" />
    </rp:RelyingParty>

If I comment out the whole block then it's ok.

If I remove the ProfileConfiguration element and turn it into an "attribute only" thing (<rp:RelyingParty ... />) then it's ok.

All the examples say this should be ok ... and is ok on another of my IdPs.

Full copy of the relying-party.xml at http://pastebin.com/aVCrBjnK

I can't see the problem :( Please help...

-- 
Matthew Slowe
Server Infrastructure Team      e: [log in to unmask]
IS, University of Kent          t: +44 (0)1227 824265
Canterbury, UK                  w: www.kent.ac.uk