namespace in metadata is fluctuating

[asta-tud-deploy]

When using pysaml2 with djangosaml2 the namespaces in the created metadata in /saml2/metadata are changing randomly.

Code Version

Python3.11
pysaml2==7.5.0
Django==4.2.14
djangosaml2==1.9.3

Settings in django:

## SAML settings 

LOGIN_REDIRECT_URL = "/details"
LOGIN_URL = '/saml2/login'
LOGOUT_REDIRECT_URL = "/logout/"
AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend', 'djangosaml2.backends.Saml2Backend']
SAML_ACS_FAILURE_RESPONSE_FUNCTION = 'app.views.failure'

SAML_SESSION_COOKIE_NAME = 'saml_session'
SESSION_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SAML_CREATE_UNKNOWN_USER = True
SAML_USE_NAME_ID_AS_USERNAME = False
SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'username'

from os import path
import saml2
import saml2.saml
BASEDIR = path.dirname(path.abspath(__file__))

#SAML2_IDPHINT_PARAM = 'idphint'
SAML_DEFAULT_BINDING = saml2.BINDING_HTTP_REDIRECT
SAML_LOGOUT_REQUEST_PREFERRED_BINDING = saml2.BINDING_HTTP_REDIRECT
## following are usually loaded from env, but copied it in for better understanding.
SAML_HOST_URL = '${PROTOCOL}://${DOMAIN}/saml2'
SAML_ENTITYID = 'https://sso.tu-darmstadt.de/idp'
SAML_IDP_URL = 'https://login.tu-darmstadt.de/idp'
SAML_METADATA_URL = 'https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml'


SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': '/usr/bin/xmlsec1',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': SAML_HOST_URL + '/metadata/',

  # directory with attribute mapping
  'attribute_map_dir': path.join(BASEDIR, 'attribute-maps'),

  # Permits to have attributes not configured in attribute-mappings
  # otherwise...without OID will be rejected
  'allow_unknown_attributes': True,

  # this block states what services we provide
  'service': {
      'sp' : {
          'name': str(os.getenv('SAML_SYSTEM_NAME')),
          'name_id_format': saml2.saml.NAMEID_FORMAT_TRANSIENT,

          # For Okta add signed logout requests. Enable this:
          # "logout_requests_signed": True,

          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  (SAML_HOST_URL + '/acs/',
                   saml2.BINDING_HTTP_POST),
                  ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  # Disable next two lines for HTTP_REDIRECT for IDP's that only support HTTP_POST. Ex. Okta:
                  (SAML_HOST_URL + '/ls/',
                   saml2.BINDING_HTTP_REDIRECT),
                  (SAML_HOST_URL + '/ls/post',
                   saml2.BINDING_HTTP_POST),
                  ],
              },

          'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
          'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,

           # Mandates that the identity provider MUST authenticate the
           # presenter directly rather than rely on a previous security context.
          'force_authn': False,

           # Enable AllowCreate in NameIDPolicy.
          'name_id_format_allow_create': True,

           # attributes that this project need to identify a user
          'required_attributes': ['urn:oid:2.5.4.42',
                                  'urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1',
                                  'urn:oid:2.5.4.4'],


           # attributes that may be useful to have but not required
          'optional_attributes': [
              'urn:oid:0.9.2342.19200300.100.1.3',
          ],

          'want_response_signed': True,
          'authn_requests_signed': True,
          'logout_requests_signed': True,
          # Indicates that Authentication Responses to this SP must
          # be signed. If set to True, the SP will not consume
          # any SAML Responses that are not signed.
          'want_assertions_signed': True,

          'only_use_keys_in_metadata': True,

          # When set to true, the SP will consume unsolicited SAML
          # Responses, i.e. SAML Responses for which it has not sent
          # a respective SAML Authentication Request.
          'allow_unsolicited': False,

          # in this section the list of IdPs we talk to are defined
          # This is not mandatory! All the IdP available in the metadata will be considered instead.
          'idp': {
              # we do not need a WAYF service since there is
              # only an IdP defined here. This IdP should be
              # present in our metadata

              # the keys of this dictionary are entity ids
              SAML_ENTITYID + '/metadata': {
                  'single_sign_on_service': {
                      saml2.BINDING_HTTP_REDIRECT: SAML_IDP_URL + '/profile/SAML2/Redirect/SSO',
                      },
                  'single_logout_service': {
                      saml2.BINDING_HTTP_REDIRECT: SAML_IDP_URL + '/profile/SAML2/Redirect/SLO',
                      },
                  },
              },
          },
      },

  # where the remote metadata is stored, local, remote or mdq server.
  # One metadatastore or many ...
  'metadata': {
      'remote': [{"url": SAML_METADATA_URL },],
      #'remote': [{"url": "https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml"},],
      },

  # set to 1 to output debugging information
  'debug': 1,

  # Signing
  'key_file': path.join(BASEDIR, 'private.key'),  # private part
  'cert_file': path.join(BASEDIR, 'public.pem'),  # public part

  # Encryption
  'encryption_keypairs': [{
      'key_file': path.join(BASEDIR, 'private.key'),  # private part
      'cert_file': path.join(BASEDIR, 'public.pem'),  # public part
  }],

  # own metadata settings
  'contact_person': [
      {'given_name': str(os.getenv('SAML_CONTACT_FIRST_NAME')),
       'sur_name': str(os.getenv('SAML_CONTACT_NAME')),
       'company': str(os.getenv('SAML_CONTACT_ORGANIZATION')),
       'email_address': str(os.getenv('SAML_CONTACT_MAIL')),
       'contact_type': str(os.getenv('SAML_CONTACT_TYPE'))},
      ],
  # you can set multilanguage information here
  'organization': {
      'name': [(str(os.getenv('SAML_ORGANIZATION_NAME')), str(os.getenv('LANGUAGE')))],
      'display_name': [(str(os.getenv('SAML_ORGANIZATION_DISPLAY_NAME')), str(os.getenv('LANGUAGE')))],
      'url': [(str(os.getenv('SAML_ORGANIZATION_URL')), str(os.getenv('LANGUAGE')))],
      },
  }

# map saml attributes to user attributes
# most important: our username is the matriculation number
SAML_ATTRIBUTE_MAPPING = {
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_USERNAME')): ('username', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_EMAIL')): ('email', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_FIRST_NAME')): ('first_name', ),
    str(os.getenv('SAML_ATTRIBUTE_MAPPING_LAST_NAME')): ('last_name', ),
}

IDP-Metadata: https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-local-312-metadata.xml
Entityid-Metadata: https://sso.tu-darmstadt.de/idp/metadata

Expected Behavior

namespace is not changing
This is a problem because our IDP imports our metadata regularly and the namespace change causes the alerting to go off...

Current Behavior

The namespaces change randomly between md: and nsX: sometimes with every reload, but only after the first time somebody logged in (before it stays as nsX:

Here are the two different types:

<md:EntityDescriptor entityID="https://9euro.asta.tu-darmstadt.de/saml2/metadata/">
<md:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/post"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/acs/" index="1"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>

2nd Option

<ns0:EntityDescriptor entityID="https://9euro.asta.tu-darmstadt.de/saml2/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIIGKTCCBBGgAwIBAgIUMkJeyilfNybCcYFn7UKJAH2+i18wDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMB4XDTIyMDgwMzA3MjE0OFoXDTMyMDczMTA3MjE0OFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEaMBgGA1UECgwRQVN0QSBUVSBEYXJtc3RhZHQxIzAhBgNVBAMMGjlldXJvLmFzdGEudHUtZGFybXN0YWR0LmRlMS4wLAYJKoZIhvcNAQkBFh9pdC1zdXBwb3J0QGFzdGEudHUtZGFybXN0YWR0LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy808uFFEwcbZIcxKGqYEVvLS/rtoyLZRqyb3bmXlyauIaKlqhC+cNPBBjgAxOHVLF3Y8yqF1p5XhcVh9cvRKz5uMPL8Z9HGzFfwJEw+J02fQk97vKbmJpNB9Y4rSUmD/frZa4DXKpgAikOoqyLkYPkd744YjMIsQT3senjk/kpU67V7JNAwQ/VUpfikFtkhgXqasoqtu990QSIBaIG1ky9LBJToG+RMCPq2KWfNYiKAj+6ip4jf8+Ni1ugB8eiJIfNh7FQpXKUPaj2dp/bHOGQAvfak5EuFJzEEBwCkcjU0PJoyYLJxKsr3wM0id7J+vseiEnFGcvESaDWnBh5EpQ5s5NAAR8MPeDK8yJvtkTXGUHXsCekT0I6rSL3HcU6t0WTb8XgO0tPdyn3DbilcIoDHKFnR9E3b198C5HBR5Kh9FQF/NFMcmUedSy4IzVBHDZxxIHMnnKH1FopbMnZ/v+8gYCB+rLf27DzpxoRs1YeD0V31xnLDLWyUqEmertPZUW0APY/lUL0C9VtSTPj1tonE/6h6zT3+uFxp800JmS3zqPcVyhI83YE1I3V8Blk3vMrhDNESvtICYllkWDXpo7sKcs/ikkHwKAWjjU5bhFtYNVpLR/nqQtI05zYdhbpZtVYnhmffNjnAuX3oDP5WKvAiZWsq5w731eA9xQS8s0RUCAwEAAaNTMFEwHQYDVR0OBBYEFN2g61/YsfWLb2rlfT/rHKcI8AY7MB8GA1UdIwQYMBaAFN2g61/YsfWLb2rlfT/rHKcI8AY7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABvtytyVonKTKwYDQCCZoPopmJ6OW+uWcDbLii7MUFdut4ex8ncAXsjDc79C40oG3UsCObz9T+6b3DUy2vF/erDV4rKaK7mNN60Eo3UaXM9FtvvitoY3F0pks1bJfFpd50ee/bXPMnxjdN9IMDGL58nqdfhIYOU1o7t7WVjjhABfqIaxTLdTlZmEZ50WHY0jCv/sS6gzlIb6lUB6TyUwD1J2Kb81WgiqVZR9nMDnZEG6JeBhRlroJutliBTDMaSMgzZoOp+83h9IYOVCJ26EuVXX+MlyG2mGc2Z7tXyBbcZLROrahgfsu37EI4Hz9rIKhrm0qP+ru8e+gRAOqZiPd/MP5/d+HaDP6CcGFKV2a/z4uQYzbnSV86xWn2PITfxQL/Jm+d0y4n8RjFs88SbKefnrIuy16d+l6G5WFVLwOe3fDBGtMMbNE118cbVf/x6pdYpzpfzI81WoO05FYyDxGKreKqtjU7NtV2eX/CD43YGbyrX1kg9B4h0mlkXoEZEf2LPsiAlHp4E4gYxRCJla7kVcsM47LL+P/XxfXYp9K7K6TTXD2KeZ+0OTDJOd6lk6uUbEKgzaZUV7exqrNyni+HE76M5dWp6u8j4vU/aLn0FubUNtz9rUawbCTZaE47+AMkrUM1MpDmkrQ6xwG72TANJNCUCx+7q5gDh5UnYA/nXZ
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/ls/post"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://9euro.asta.tu-darmstadt.de/saml2/acs/" index="1"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.8301.4.2.1.2.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>

Steps to Reproduce

Here is a link, just reload it for a couple of times:
https://9euro.asta.tu-darmstadt.de/saml2/metadata/

Any ideas or hints?

Thanks in advance :)

[asta-tud-deploy]

Well, it seems this issue was caused by two different python versions in the virtual environment and some weird behaviour following this. Removing the old environment seems to have solved the problem.

Therefore i will close this for now.

[asta-tud-deploy]

false positive, still happening -> reopening.
Should have tested more than 10 times... /o\

[GMMan]

Have you made AuthnRequests in between capturing the different metadata? The default implementation in djangosaml2 causes some namespace prefixes to be registered and they're not cleaned up, so you'll suddenly get "pretty" XML afterwards. Bit of a heisenbug as well because it only ends up doing it to the worker where your AuthnRequest is generated.

[asta-tud-deploy]

it has been more than half a year and i honestly can't remember. We switched to oidc because the admin of our IdP was getting annoyed (i guess he got notifications whenever wrong metadata was used - even though it worked fine).