IdP startup issues
Peter Schober
peter.schober at univie.ac.at
Thu Apr 3 11:24:13 EDT 2014
* Joel Goguen <joel.goguen at unb.ca> [2014-04-03 16:48]:
> All of our MetadataProvider entries are defined as
> FileBackedHTTPMetadataProvider types. This is causing us issues with
> starting up the IdP; whenever any one or more metadata sources is
> unavailable, the IdP refuses to start entirely even if the defined
> backingFile exists. Is there some way (preferably without external
> cron jobs) we can have automatically-updating MetadataProvider
> definitions but not have the IdP fail to start when a metadata
> source can't be reached?
I would stop, well, stopping and starting the IDP, as a first step.
> As an example, here's one of our MetadataProvider definitions that has failed more than a few times:
> <MetadataProvider id="Desire2Learn" xsi:type="FileBackedHTTPMetadataProvider"
> xmlns="urn:mace:shibboleth:2.0:metadata"
> metadataURL="http://lms.unb.ca/Shibboleth.sso/Metadata"
> backingFile="/opt/shibboleth-idp/metadata/desire2learn.xml"
> maxRefreshDelay="PT1H0M0.000S" />
I'd also avoid pulling metadata from the SP directly, as likely it's
unsigned (?) and over plain http too, so trusting any of the
information in that metadata may be overly relying on a secure network
between the IDP and that webserver.
I take it you have actual reasons to pull metadata from that SP every
hour? Just saying. (At our university the IDP manages "authoritative"
metadata for all local SPs and never pulles automaically after the
initial import).
-peter
More information about the users
mailing list