Metadata resolver is looking at ID instead of entityID

Brent Putman putmanb at georgetown.edu
Mon Aug 6 14:13:59 EDT 2018 


On 8/6/18 12:47 PM, Cody Carmichael wrote:
> Here is my metadata provider, currently the only configured provider:
>
>         <MetadataProvider id="LocalEntityMetadataCRC"
>         xsi:type="FilesystemMetadataProvider"
>
>                              
>         metadataFile="/opt/shibboleth-idp/metadata/meta-cert2.xml">
>
>
>                 <MetadataFilter xsi:type="Predicate"
>         direction="include" removeEmptyEntitiesDescriptors="true">
>
>                    
>         <Entity>https://mySP/rest/v2/sso/message/shibboleth/metadata</Entity>
>
>                 </MetadataFilter> 
>
>         </MetadataProvider>
>
>
>

As Tom already pointed out, if that's literally what you have, then
that's the problem.  You're filtering out the EntityDescriptor that you
want, and so the log message is accurate that the backing store doesn't
contain it.

Even if not, the message still means what it means, and there is
therefore something wrong with your metadata or config or similar.

> The metadata contains the following: 
> entityID="https://mySP.net/rest/v2/sso/message/shibboleth/metadata"
> ID="_ef844bd930b2aed9154854a0cb80ae78"
>
> When I try to access the IdP's login page, the logs say:
>
>     Metadata Resolver FilesystemMetadataResolver
>     LocalEntityMetadataCRC: Metadata backing store does not contain
>     any EntityDescriptors with the ID:
>     https://mySP.net/rest/v2/sso/message/shibboleth/metadata
>
>
> Which I understand it appears to be looking at the ID instead of the
> entityID.

No, you're interpreting that too literally.   Metadata lookup (at least
in all the basic and common cases) is by entityID.  Additionally, the
ID attrib in metadata is usually a transient value, generated and
assigned anew on each new document "version", and as such there is no
way that it could be used as the basis for looking it up by another
party, since there's practically speaking no way they would or could
know it in advance.

If you want to file a Jira issue, we can adjust the log output there. 
But most people familiar with how this stuff works would never confuse
the 2 concepts, as ID simply can't be used that way.  Perhaps that
explains why AFAIK noone has commented on it before.

Thanks,
Brent


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180806/dbdf0257/attachment.html>

More information about the users mailing list