IdP Metadata Cache

Jeff Masiello jmasiello at actionet.com
Thu Jun 19 10:34:01 EDT 2014 

It appears in my relying-party.xml on the IdP it includes a specific metadatafile for this [articular service and the entity descriptor for this SP (foo) exists in that file as well as the aggregated metadata.
So
<metadata:MetadataProvider id="FOOSP" xsi:type="metadata:FilesystemMetadataProvider"
        metadataFile="/opt/shibboleth-idp/metadata/foo_sp.xml"></metadata:MetadataProvider>

but that EntityDescriptor also exists in...

<metadata:MetadataProvider id="FEDIDP" maxRefreshDelay="PT10M0.000S" metadataFile="/opt/shibboleth-idp/metadata/federation.xml" minRefreshDelay="PT5M0.000S" xsi:type="metadata:FilesystemMetadataProvider"/>

I updated both because we got it that way.
Questions:
1. Is there any point to doing that?
2. one of them has a refresh delay, the other doesn't. That has got to cause an issue. This works on the production server so I'm afraid to touch it. 


Jeff Masiello


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, June 19, 2014 10:16 AM
To: Shib Users
Subject: Re: IdP Metadata Cache

On 6/19/14, 10:03 AM, "Jeff Masiello" <jmasiello at actionet.com> wrote:
>
>1. by metadata source do you mean the metadata xml file on the IdP or 
>is there a refresh time option on the metadata EntityDescriptor for a 
>given SP?

I meant the specific configuration of the MetadataProvider you're using, what type it is, etc.

> If the latter than it hasn't been set (which wouldn't surprise me) 
>However in looging in the idp-process.log (there are a LOT of lines in
>there) I found this
>13:56:45.527 - INFO
>[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider
>:23 8] - Metadata from '/opt/shibboleth-idp/metadata/54_241_48_11.xml'
>unchanged since last refresh, next refresh will occur at approximately 
>2014-06-19T14:04:15.526Z I need to figure out whywe are using that one.

And that's a local file source, so it will refresh at that timestamp there in the log if the file changes provided the change date is after the last time it looked for a change.

You would also see it in the log every time it actually loads a new version. You should find all the log lines related to it and see if it matches the behavior you're seeing.

>2. Again, probably my newness...There are a few of these in relying party.
><metadata:MetadataProvider id="nwtp_old_sp" maxRefreshDelay="PT10M0.000S"
>metadataFile="/opt/shibboleth-idp/metadata/50_18_137_16.xml"
>minRefreshDelay="PT5M0.000S"
>xsi:type="metadata:FilesystemMetadataProvider"/>
>
>I kind of thought 5 minutes was a bad idea but as I'm still learning I 
>can't make a recommendation until I'm more solid on our use cases.

It depends how often you change things. Some places also control/limit when changes get made.

My local SP metadata gets checked every 10-15 minutes or so. There's no cost to just checking it.

>3. erg? I thought shibd was the shibboleth program. It's only on the SP 
>and not the IdP? What would I restart on the IdP? Maybe I missed this 
>page in the Wiki.

You don't need to restart anything in the IdP for metadata to be refreshed, but the only way to restart the IdP is by restarting the container. shibd is a part of the SP, and if you have an SP on the same server with your IdP, you either don't need it, or you're doing something more unusual (or just sharing that box with some other application). It won't have any effect on metadata behavior.

>Sorry for my newness.

Nothing to applogize for, I'm just answering your questions so you know where your confusion is.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list