Identity Providers based on ADFS can contain extensions in their metadata that by default are not validated by Shibboleth Service Provider. This means that SWAMID metadata will not automatically be validated by Shibboleth SP unless you add support for some schemas used by Microsoft.

Add ws-* extensions validation to Shibboleth SP

  1. Download all schema files starting with "ws-" from https://git.swamid.se/?p=swamid-metadata.git;a=tree;f=schema;hb=HEAD and put them in the folder ${install_prefix}/share/xml/shibboleth/. The ws-* files are 2017-09-18
  2. Add configuration in ${install_prefix}/share/xml/shibboleth/catalog.xml for downloaded schemas.

        <system systemId="http://docs.oasis-open.org/wsfed/authorization/200706" uri="@-PKGXMLDIR-@/ws-authorization.xsd"/>
        <system systemId="http://docs.oasis-open.org/wsfed/federation/200706" uri="@-PKGXMLDIR-@/ws-federation.xsd"/>

    Note: ws-addr.xsd and ws-securitypolicy-1.2.xsd are loaded automatically due to that ther are referenced in ws-authorization.xsd or ws-federation.xsd.

  3. Restart Shibboleth SP to activate the new schemas.