MetadataResolverService Initial load failed?
sgilbert at ucsb.edu
Sun Dec 1 18:56:18 EST 2019
Thanks for the info I tend to stay away from validuntil commands in my
config but this did get rid on the first metadata loading error. In general
there is something missing between our current 3.2.1 idp version and 3.4.6
version in that the metadata will not load. This newest error doesnt make
sense because the metadata-providers.xml is valid and well formed.
IAM System Admin
ETS Enterprise Technology Services
University of California Santa Barbara
On Thu, Nov 28, 2019 at 2:33 AM Alan Buxey <alan.buxey at myunidays.com> wrote:
> > The previous sysadmin got the shib service to run without the incommon
> validation cert, and just the url for the incommon metadata is in
> metadata-providers.xml. I was suprised to discover this as I diagnosed this
> well, you can do that - but that breaks one of the key trust/security
> principles of SAML federation , as someone could insert rogue data
> onto the remote server which you then take without checking.
> (this is why using just http rather than https is actually okay too -
> as the check is via the signature check of the data).
> likewise, you dont need to have valid period check - thats an extra
> thats often added by admins on policy requirement , if you know , or
> get told, that it will be refreshed every X days, then check that
> (some federation metadata validity period is a year! :( ) a downside
> to this check is if the federation decide to sign for a longer period
> due to eg planned holiday periods....so they sign the eg 18th
> December for 3 weeks to cover until they are back for new year - but
> you have a 2 week check.. download data. bang. invalid. right on top
> of when you want to go (but it would be working fine on 25th
> because its now only 2 weeks period left....happy times . ;-) )
> your other error though - are you pulling in another metadata file
> that is a single entity rather than an entity container?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users