Metadata Typo Causes Integration Headaches

Marvin Addison serac at
Thu Sep 20 08:01:47 EDT 2018

On Wed, Sep 19, 2018 at 6:58 PM Brent Putman <putmanb at> wrote:
> there's a layer that filters credentials by the supplied criteria.  But I don't think that's what was going on here...  See below

Thanks for taking the time to dig into this, Brent, really appreciate it.

>  I think that the MetadataCredentialResolver was fundamentally unable to "see" the KeyInfo data, since it could not have been unmarshalled correctly.  I think you would see log output from the below about an unknown child XMLObject from the KeyDescriptorUnmarshaller:
> log.debug("Ignoring unknown child element {}", childXMLObject.getElementQName());
> ... and I think this should have resulted in some output from the KeyInfoCredentialResolver (used by the MCR) like so:
>"KeyInfo was null, any credentials will be resolved by post-processing hooks only");

I don't see either of those log lines over an entire day, which
included both metadata reloads and a Jetty restart.

> And then later, also from the KICR:
> log.debug("A total of {} credentials were resolved", credentials.size());

I do see that, but only in the success case after I had corrected my
XML namespace mistake. I've cleaned up logs for both a full failure
flow and success flow to facilitate comparison and further review:

(Please ignore the endpoint resolution failure in the success case,
which was an artifact of the way I was testing SSO.)


More information about the users mailing list