shibboleth.MetadataResolverService

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

shibboleth.MetadataResolverService

Hugo Slavia
This question will drive the expert users nuts -- as I must be missing something obvious. 

NB: The metadata URL is reachable from IdP server (if I delete the file in idp server and restart --- it is downloaded)

2 questions:

1) what can I troubleshoot to check why not downloading remote metadata file when prompted via -- https://server-name/idp/profile/admin/reload-service?id=shibboleth.MetadataResolverService. The remote file has been changed and the logs are showing ' Metadata Resolver FileBackedHTTPMetadataResolver HTTPMetadata: New metadata successfully loaded for 'https://example.edu/idp/sp-metadata.xml''

2) 'HTTPMetadata' reloads every 4 hours --- where is this set to change frequency (the remote file does not have a 'validUntil' )? 

<MetadataProvider id="HTTPMetadata"

                      xsi:type="FileBackedHTTPMetadataProvider"

                      xmlns="urn:mace:shibboleth:2.0:metadata" 

                      metadataURL="https://example.edu/idp/sp-metadata.xml"

                      backingFile="/opt/shibboleth-idp/conf/sp-metadata.xml"> 

    </MetadataProvider>




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: shibboleth.MetadataResolverService

Tom Scavo
On Fri, Jun 29, 2018 at 11:22 PM, Hugo Slavia <[hidden email]> wrote:
>
> NB: The metadata URL is reachable from IdP server (if I delete the file in
> idp server and restart --- it is downloaded)

You can use curl to probe a metadata source:

$ curl --silent --head https://example.edu/idp/sp-metadata.xml

In particular, the response headers will tell you if the server
supports HTTP conditional GET.

> 1) what can I troubleshoot to check why not downloading remote metadata file
> when prompted via --
> https://server-name/idp/profile/admin/reload-service?id=shibboleth.MetadataResolverService.
> The remote file has been changed and the logs are showing ' Metadata
> Resolver FileBackedHTTPMetadataResolver HTTPMetadata: New metadata
> successfully loaded for 'https://example.edu/idp/sp-metadata.xml''

What are you trying to troubleshoot? Is there a warning or error
message in the logs?

> 2) 'HTTPMetadata' reloads every 4 hours --- where is this set to change
> frequency (the remote file does not have a 'validUntil' )?

That is documented on the FileBackedHTTPMetadataProvider [1] wiki page
(which was recently overhauled). In particular, look at the
maxRefreshDelay attribute.

> <MetadataProvider id="HTTPMetadata"
>                       xsi:type="FileBackedHTTPMetadataProvider"
>                       xmlns="urn:mace:shibboleth:2.0:metadata"
>                       metadataURL="https://example.edu/idp/sp-metadata.xml"
>
> backingFile="/opt/shibboleth-idp/conf/sp-metadata.xml">
>
>     </MetadataProvider>

Does your FileBackedHTTPMetadataProvider really have no child elements
or did you remove those for posting?

The fact that want to reload metadata that is already configured with
a reloading metadata provider suggests you may be doing it wrong.
Without knowing more, I can't say for sure, but I'll guess that a
LocalDynamicMetadataProvider may be more appropriate in this case. See
the MetadataManagementBestPractices [2] topic (which is new) for
options and recommendations.

Hope this helps,

Tom

[1] FileBackedHTTPMetadataProvider
https://wiki.shibboleth.net/confluence/x/kQInAQ
[2] MetadataManagementBestPractices
https://wiki.shibboleth.net/confluence/x/JQXKAg
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: shibboleth.MetadataResolverService

Rod Widdowson
In reply to this post by Hugo Slavia
> 1) what can I troubleshoot to check why not downloading remote metadata file when prompted
> via -- https://server-name/idp/profile/admin/reload-service?id=shibboleth.MetadataResolverService.
>  The remote file has been changed and the logs are showing
> ' Metadata Resolver FileBackedHTTPMetadataResolver HTTPMetadata: New metadata successfully loaded for 'https://example.edu/idp/sp-metadata.xml''

And after that the file exists and is "wrong"?  But if you delere the file and restart it is "right"?

The log is unambiguous - the file has been downloaded, absent any filtering issues further down the log (e.g. signature failure, schema failure).

> 2) 'HTTPMetadata' reloads every 4 hours --- where is this set to change frequency (the remote file does not have a 'validUntil' )?
https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration#MetadataConfiguration-ReloadingAttributesReloadingAttributes

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]