Metadata Typo Causes Integration Headaches
Marvin Addison
serac at vt.edu
Thu Sep 20 08:01:47 EDT 2018
On Wed, Sep 19, 2018 at 6:58 PM Brent Putman <putmanb at georgetown.edu> wrote:
> there's a layer that filters credentials by the supplied criteria. But I don't think that's what was going on here... See below
Thanks for taking the time to dig into this, Brent, really appreciate it.
> I think that the MetadataCredentialResolver was fundamentally unable to "see" the KeyInfo data, since it could not have been unmarshalled correctly. I think you would see log output from the below about an unknown child XMLObject from the KeyDescriptorUnmarshaller:
> log.debug("Ignoring unknown child element {}", childXMLObject.getElementQName());
>
> ... and I think this should have resulted in some output from the KeyInfoCredentialResolver (used by the MCR) like so:
> log.info("KeyInfo was null, any credentials will be resolved by post-processing hooks only");
I don't see either of those log lines over an entire day, which
included both metadata reloads and a Jetty restart.
> And then later, also from the KICR:
> log.debug("A total of {} credentials were resolved", credentials.size());
I do see that, but only in the success case after I had corrected my
XML namespace mistake. I've cleaned up logs for both a full failure
flow and success flow to facilitate comparison and further review:
https://gist.github.com/serac/2cb0b152afddfdbb3fcd16d1742bc998
(Please ignore the endpoint resolution failure in the success case,
which was an artifact of the way I was testing SSO.)
Thanks,
Marvin
More information about the users
mailing list