IdP 3.4.1 unexpectedly attempting metadata retrieval

Nick Moriarty nick.moriarty at york.ac.uk
Tue Nov 13 09:26:10 EST 2018


Hi,

I've been testing with IdP 3.4.1 recently and noticed an oddity
compared to its behaviour in 3.3.3.

When the IdP initially responds to an authentication request, it's
trying to retrieve two of our locally defined entity groups (used in
relying-party.xml) from an MDQ service.  We have other entity groups
defined but they don't appear in relying-party.xml (this appears to be
the differentiator).

Our metadata resolver is configured using a ChainingMetadataProvider
to retrieve (in order) from:
- Several FilesystemMetadataProvider sources, some of which contain
EntitiesDescriptor elements for grouping SPs
- Several FileBackedHTTPMetadataProvider sources, which retrieve some
high-traffic SPs from a federation
- A DynamicHTTPMetadataProvider to retrieve all other SPs from a federation

In 3.3.3, everything is working "as expected", and I can see a test SP
being retrieved correctly in the log via MDQ:
    Successfully loaded new EntityDescriptor with entityID
'https://test.ukfederation.org.uk/entity' from origin source

In 3.4.1, it still works, but the above message is followed by two
warnings (group names substituted):
Non-ok status code '404' returned from remote metadata source:
http://mdq.ukfederation.org.uk/entities/entityGroupName1
Non-ok status code '404' returned from remote metadata source:
http://mdq.ukfederation.org.uk/entities/entityGroupName2

Both of the mentioned groups appear in our local
FilesystemMetadataProvider sources (which are listed before the MDQ
service in the ChainingMetadataProvider), so I'm not sure why this
retrieval is being attempted via the MDQ service.

Is there any change that I've missed in how that should operate, or is
this unexpected?

Any suggestions appreciated.

Many thanks
-- 
Nick Moriarty

University of York
e-mail disclaimer: http://www.york.ac.uk/docs/disclaimer/email.htm


More information about the users mailing list