IDP 2.4.4: Partial metadata reflected in profile/Metadata/SAML

Bee-Lindgren, Bert A bert.bee-lindgren at
Mon Apr 18 14:10:16 EDT 2016


Our shibboleth 2.4.4 server started reporting incomplete metadata last Friday, missing bindings:* tags among others (details below).  Our ADFS (a Shib SP) saw this incomplete metadata and, reasonably (I guess) decided that our Shib server didn't offer useful services and quietly (grrr) bypassed it. It took us a long time for us and Microsoft to notice the missing metadata information. Luckily, fixing it was easy.

A few details:

1) stopped returning the correct contents of our configured metadata file (correct and incorrect copies are attached are attached).

2) It would be easy to understand truncated or otherwise garbled text being returned, but the result was valid XML and was "just" missing various tags, including several SingleLogoutService, SingleSignOnService and AttributeService pieces.

3) The configured metadata file had not been changed on disk

4) The standby server provided correct metadata the whole time. Switching over to it made ADFS happy.

5) An IDP restart fixed the problem. No configuration or other files needed to be restored.

6) We could not find any pertinent log messages


1) Does anyone know how/why this could happen? Is IDP3 less likely to repeat this problem?

2) Could this be the result of a hack? Would such metadata changes affect the security of the idp, besides being a denial of service?

Thanks very much,

  Bert Bee-Lindgren

  Georgia Tech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shib4-good-metadata.txt
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: shib4-bad-metadata.txt
URL: <>

More information about the users mailing list