IDP 2.4.4: Partial metadata reflected in profile/Metadata/SAML

[Cantor, Scott]

> Questions:
> 
> 1) Does anyone know how/why this could happen? Is IDP3 less likely to
> repeat this problem?

V2 loads the metadata into memory in object form and then writes it back into XML when the servlet runs. The V3 JSP file actually writes out the metadata file from source to sink, it isn't likely to be affected by the same cause, whatever it is.

If you need to host your metadata, just make it available via a separate URL. Anything that really cares that the metadata URL matches the entityID is almost guaranteed to be broken in some way.
 
> 2) Could this be the result of a hack? Would such metadata changes affect
> the security of the idp, besides being a denial of service?

The metadata changing is irrelevant, what's relevant is that something modified the objects in memory, apparently. That would mean all bets are off.

That's a pretty weird thing for somebody to do if they had access to the JVM. Nobody trying to steal the key is going to leave footprints that silly. I'm sure there's a more innocent explanation but I can't imagine what it would be. Maybe a low memory condition of some kind.

-- Scott