Using smfedimport to import partners IDP metadata give error, "An exception was encountered while unmarshalling the metadata document". smfedimport gave errors and would not create the auth scheme.

The first error we encountered was:

E:\Certificates>smfedimport -type saml2idp -username siteminder -password siteminder -entityid https://www.example.com/saml20 -name "metadata" -importkeys client -input metadata.xml
About to import SAML2 Auth Scheme .....
DefaultValidationEventHandler: [ERROR]: Unexpected element
{urn:oasis:names:tc:SAML:2.0:metadata}:EncryptionMethod
Location:
ERROR: An exception was encountered while unmarshalling the metadata document

To get around this problem, we deleted the EncryptionMethod element from the document.

After deleting the element, we ran the tool again and this time received the following error:

E:\Certificates>smfedimport -type saml2idp -username siteminder -password siteminder -entityid https://www.example.com/saml20 -name "metadata" -importkeys gcssafclient -input metadata.xml
About to import SAML2 Auth Scheme .....
WARNING: Skipping Single SignOn Service URL
https://www.example.com/saml20/login; the binding
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact is unsupported.

The input XML is invalid. This can be confirmed by validating the input XML file against metadata schema using a XML validator tool.
During validation an error such as the following is reported:

"EncryptionMethod" is not allowed immediately under "KeyDescriptor" element. "EncryptionMethod" element must come after "keyInfo" element.

Siteminder only supports "Redirect" or "SOAP" as SSO bindings. The XML was able to be successfully imported after making the following changes:

1. Move "EncryptionMethod" element after "KeyInfo" element. The XML was invalid - EncryptionMethod was in the wrong place according to the XML Schema. The error thrown by SiteMinder "the binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact is unsupported." is thrown because it was caught due to the fact that it is not a supported binding.
   
   
2. Change SingleSignOnService binding to "HTTP-Redirect" from "HTTP-Artifact".
   
   For the SSO service we support 2 bindings for accepting an AuthnRequest, HTTP-Redirect and SOAP (for ECP support). There was some confusion over the Assertion Consumer Service, which accepts a response in HTTP-POST, HTTP-Arifact, and PAOS bindings.
   
   The error, "An exception was encountered while unmarshalling the metadata document", was reported by JAXB, since it uses the XML Schema for SAML.
   
   You can use your own JAVA XML tool for parsing an XML document if you know the schema files to use and the SAML version.