Trouble with signature filter skipping

Guillaume Rousse guillaume.rousse at
Fri Sep 14 05:25:24 EDT 2018

Le 10/09/2018 à 14:49, Tom Scavo a écrit :
> On Mon, Sep 10, 2018 at 7:43 AM Guillaume Rousse
> <guillaume.rousse at> wrote:
>> However, I've been unable to produce the expected log message ("Skipping
>> SignatureMetadataFilter on load from backup") in the SP logs, despite
>> setting the required category in shibd.logger configuration file
>> (log4j.category.OpenSAML.MetadataFilter.Signature=DEBUG).
> You probably already know this but the backup file is only referenced
> at startup.
>> Basically, it
>> doesn't have any effect, at least with my settings. What am I doing wrong ?
> I don't know, did you restart the SP?
Yes, I did, as my tests involved monitoring SP start time.
I finally found the answer in the documentation, after running the SP 
trough gdb: the backing file is just a backup, and not a cache, as I 
naively supposed:

If a url attribute is used, the downloaded resource is copied to this 
location. If the software is started and the remote resource is 
unavailable or invalid, the backing file is loaded instead

The issue is even worsened by the fact we often use the same metadata 
multiple times, in multiple application-specific configuration overrides 
:/ I guess we'll have to investigate dynamic metadata loading, as 
suggested by Scott in another thread.

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list