- NOTE: This Information is applicable to the latest R12.8 SP08 CR01 release as well.
A metadata file is working as expected in the old 12.8 SP2 version but not working in the 12.8 SP7 release and getting the below error.
Exception occurred: ERROR: Metadata parsing error: Unable to create an instance of com.ca.federation.metadata.SAML2METADATAGEN.RoleDescriptorType
Please note that the other metadata files are working as expected in the 12.8 SP7 release without any errors but this particular file is failing which has the RoleDescriptorType entry in the metadata XML file.
- Observed the below error on the AdminUI screen.
Error:
" Exception trying to extract entities from metadata "
Ran the policy server in console mode " smpolicysrv.exe -z " and tried to import the metadata file and observed the output below in the policy server.
siteminder_home\CA\siteminder\bin>smpolicysrv.exe -z
com.ca.federation.metadata.SAML2METADATA.utils.MetadataException: ERROR: Metadata parsing error: Unable to create an instance of com.ca.federation.metadata.SAML2METADATAGEN.RoleDescriptorType
at com.ca.federation.metadata.service.SAML2Entities.getEntitiesList(Unknown Source)
at com.ca.federation.metadata.tunnel.SAML2EntitiesService.getList(Unknown Source)
Caused by: javax.xml.bind.UnmarshalException: Unable to create an instance of com.ca.federation.metadata.SAML2METADATAGEN.RoleDescriptorType
- with linked exception:
[java.lang.InstantiationException]
----------- From SMPS.log:
[10776/8576][Tue May 14 2024 20:01:26.013][JavaCallService.cpp:325][PerformService][ERROR][sm-xobfed-00140] Exception occurred: ERROR: Metadata parsing error: Unable to create an instance of com.ca.federation.metadata.SAML2METADATAGEN.RoleDescriptorType
[10776/8576][Tue May 14 2024 20:01:26.034][XPSSvcHandlerServices.cpp:340][CXPSSvcHandlerServices::InvokeService][ERROR][sm-xpssvc-00850] Failed to find the requested Service
[10776/8576][Tue May 14 2024 20:01:26.034][XPSSvcHandlerServices.cpp:165][CXPSSvcHandlerServices::ProcessRequest][ERROR][sm-xpssvc-00840] Failed to invoke the requested Service
[10776/8576][Tue May 14 2024 20:01:26.034][XPSSvc.cpp:255][InvokeHandler][ERROR][sm-xpssvc-00020] Cannot Process the Request.
-------- From AdminUI Server.log:
[ERROR] com.ca.federation.adminui.backingbean.federation.ImportMetadataWizardStepListener [] - **ERROR** com.ca.fedxps.api.remote.FedXPSException during UI operation.
com.ca.fedxps.api.remote.FedXPSException: com.ca.federation.client.XPSException: Exception occurred: ERROR: Metadata parsing error: Unable to create an instance of com.ca.federation.metadata.SAML2METADATAGEN.RoleDescriptorType : CA : XPS : sm-xobfed-00140
at com.ca.federation.api.remote.FedMetadata.serviceCall(Unknown Source) ~[fedremoteapi.jar:?]
at com.ca.federation.api.remote.FedMetadata.getEntities(Unknown Source) ~[fedremoteapi.jar:?]
at com.ca.federation.adminui.common.FedUiPersistenceHandler.extractEntities(FedUiPersistenceHandler.java:653) ~[fedmgr.jar:?]
at com.ca.federation.adminui.backingbean.federation.ImportMetadataWizardStepListener.performStep2Processing(ImportMetadata
Component: FEDMA
Release: 12.8 SP7 (Applicable to 12.8 SP5 release and above releases Including R12.8 SP08 CR01 version)
The " RoleDescriptor " is an abstract type which can not be used directly in XML metadata. The third party " JAXB library " that is used in Release 12.8.05 and above is strictly checking against schema, whereas older versions of JAXB in 12.8.2 is ignoring the RoleDescriptor even if it is present in an XML file.
Please note that the 12.8 SP7 release behavior seems correct where the " JAXB " is not accepting abstract RoleDescriptor in metadata, whereas in the 12.8 SP2 release, the old JAXB seems to ignore it without processing. Also, please note that some upgrades in JAXB took place in the latest JAXB releases and that resulted in this behavior.
The JAXB library that is used in the Release 12.8 SP7 is different when compared to the 12.8 SP2 release.
- Document reference:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/Changes-to-Existing-Features/changes-to-existing-features-in-12-8-07.html
Kindly review the below SAML documentation for your reference:
------ Document reference: (2.4.1 Element <RoleDescriptor> Section)
https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
2.4.1 Element <RoleDescriptor>
The <RoleDescriptor> element is an abstract extension point that contains common descriptive
information intended to provide processing commonality across different roles.
The following schema fragment defines the <RoleDescriptor> element and its RoleDescriptorType
complex type
<element name="RoleDescriptor" type="md:RoleDescriptorType"/>
<complexType name="RoleDescriptorType" abstract="true">
<sequence>
Base Type (RoleDescriptorType):
The RoleDescriptorType is an abstract type, meaning it cannot be used directly but serves as a base for other role descriptors.
It includes common elements like Extensions, KeyDescriptor, Organization, and ContactPerson.
It has attributes such as ID, validUntil, cacheDuration, protocolSupportEnumeration, and errorURL.
Specific Role Descriptors:
IDPSSODescriptorType extends RoleDescriptorType and adds elements specific to Identity Providers, such as SingleSignOnService, SingleLogoutService, and NameIDFormat.
It also has an attribute WantAuthnRequestsSigned.
SPSSODescriptorType also extends RoleDescriptorType and includes AssertionConsumerService, SingleLogoutService, and NameIDFormat.
It has attributes AuthnRequestsSigned and WantAssertionsSigned.
Import the metadata XML file without the " RoleDescriptor " section to resolve the above mentioned error.
Kindly review the below snippet for your reference.
------ Error output from the third party tool: (URL for reference: https://developers.onelogin.com/saml/online-tools/validate/xml-against-xsd-schema)
The XML is invalid.
Line: 45 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor', attribute '{http://www.w3.org/2001/XMLSchema-instance}type': The QName value '{urn:oasis:names:tc:SAML:metadata:ext:query}AttributeQueryDescriptorType' of the xsi:type attribute does not resolve to a type definition.
Line: 45 | Column: 0 --> Element '{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor': The type definition is abstract.
------ Snippet for reference: