Metadata refresh downloads every time even though source not changing

Tom Scavo trscavo at gmail.com
Fri Dec 9 08:40:33 EST 2016 

On Fri, Dec 9, 2016 at 8:04 AM,  <shibboleth655 at lewenberg.com> wrote:
>
> <!-- InCommon -->
> <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
>         id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
>         metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
>         backingFile="/var/tmp/InCommon-metadata.xml"
>         minRefreshDelay="PT1M" maxRefreshDelay="PT3M">
>         <MetadataFilter xsi:type="ChainingFilter">

A chaining filter is not needed in Shib IdP V3. It may even be
deprecated. You should eliminate it from your config.

>                 <!-- Require metadata expiration at least monthly (28 days)
> -->
>                 <MetadataFilter xsi:type="RequiredValidUntil"
> maxValidityInterval="P28DT0H0M0.000S" />

The maxValidityInterval should be set to 14 days: maxValidityInterval="P14D"

>                 <MetadataFilter xsi:type="SignatureValidation"
> requireSignedRoot="true"
>                   certificateFile="${idp.home}/credentials/inc-md-cert.pem"
> />
>                 <MetadataFilter xsi:type="EntityRoleWhiteList">
>                         <RetainedRole>md:SPSSODescriptor</RetainedRole>
>                 </MetadataFilter>
>         </MetadataFilter>
> </MetadataProvider>

The rest of your InCommon configuration looks good. Thank you for
doing the Right Thing by verifying the signature on the metadata file.

> <!-- Local metadata -->
> <MetadataProvider xsi:type="FileBackedHTTPMetadataProvider"
>         id="spdb-metadata" xmlns="urn:mace:shibboleth:2.0:metadata"
>         metadataURL="https://spdb.mysite.com/spmetadata/metadata.xml"
>         backingFile="/var/tmp/spdb-metadata.xml"
>         minRefreshDelay="PT1M" maxRefreshDelay="PT3M">
>         <MetadataFilter xsi:type="ChainingFilter">

Same here. Eliminate the chaining filter.

>                 <!-- Require metadata expiration at least monthly (28 days)
> -->
>                 <MetadataFilter xsi:type="RequiredValidUntil"
> maxValidityInterval="P28DT0H0M0.000S" />

Is there actually a validUntil XML attribute on the EntitiesDescriptor
root element?

>         </MetadataFilter>
> </MetadataProvider>

Other than that, the above config looks good. Does the server support
HTTP Conditional GET? That is the million dollar question.

Tom

More information about the users mailing list