Wednesday, November 18, 2015


The full description is "MSIS7527: The metadata does not contain the roles descriptors needed for the entity to be configured as a relying party trust".

I was trying to set up a RP trust with some metadata to another STS when I got this.

Examination of the metadata showed that there was no SPSSODescriptor in the metadata.

This contains things like whether the assertions should be signed, the location of the SingleLogoutService, the location of the AssertionConsumerService, the NameIDFormat etc.

Ended up having to configure the RP manually which is a PIA because then you have to get the signing certificate etc. etc. which is exactly the pain that the metadata is supposed to solve.

I imagine you would get a similar error if the metadata didn't contain the IDPSSODescriptor.


Pondering on this, I realised that these two descriptors are only for SAML 2.0 federation. This particular STS only supports WS-Federation.

The metadata was missing the

RoleDescriptor xsi:type="fed:ApplicationServiceType" 


This tells ADFS that WS-Federation is supported. Since this was missing, ADFS fell back to SAML but then couldn't find either of the two Descriptors hence the error.


No comments: