reload-metadata & multiple metadata providers

Ryan Rumbaugh rrumbaugh at nebraska.edu
Fri Jul 26 12:28:27 EDT 2019 

I think I get it now.

We have historically avoided reloading the metadata resolver service because for some our IdP's it would "overwhelm" Tomcat/shib to the point of being unresponsive (largely due to the size of the InCommon md aggregate -- md query should take care of that concern in the future though). Because we have separated the InCommon md entry in our "base" image with the id of "NebraskaShibbolethMetadata" from the other campus specific metadata entries we can now load the local metadata providers in the campus image with reloading "everything". In my particular case, the following command worked now that I'm using the correct id.

curl -k "https://localhost:8443/idp/profile/admin/reload-metadata?id=ShibbolethMetadata"

Thanks!
--
Ryan Rumbaugh
Identity Management Specialist
Cybersecurity & Identity |ITS|
501 123.1, 68588-0203
University of Nebraska |nebraska.edu
Kearney|Lincoln|Omaha
402-472-0831 (o)

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Rod Widdowson
Sent: Friday, July 26, 2019 11:10 AM
To: 'Shib Users' <users at shibboleth.net>
Subject: RE: reload-metadata & multiple metadata providers

Reloading the metadata service is entirely different and would involve saying "reload-service".  It completely restarts the service including reloading all files.

Reloading metadata providers is about reloading one provider at the "level down" from that, so in your case you either have two files and that is the level at which you can reload or you have one file where the topmost element is a chaining provider.  Either way you cannot descend into the next level down

So if you had a single file looking roughly like this

<MetadataProvider type="chaining">
	<MetadataProvider type="chaining" id=" ShibbolethMetadata">
		<MetadataProvider type="chaining" id="NEFED">
	</MetadataProvider>
	<MetadataProvider type="chaining" id="NebraskaShibbolethMetadata ">

And so on, you can reload NebraskaShibbolethMetadata an ShibbolethMetadata, but not NEFED.

Similarly if you had two files one for NebraskaShibbolethMetadata and the other ShibbolethMetadata 

Either way, you only get to chose from those two.

I suspect the team would entertain and RFE (if one was forthcoming) to look at the idea of allowing recursive descent into sub-providers, but a full fix might implicate the status page and gauges so it might blow up and not happen....

/Rod

> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of Ryan Rumbaugh
> Sent: 26 July 2019 16:44
> To: Shib Users <users at shibboleth.net>
> Subject: RE: reload-metadata & multiple metadata providers
> 
> Right, I can reload the metadata resolver service, my particular issue 
> is when using the bin/reload-metadata.sh
> (/idp/shibboleth/reload-metadata?id=XXXX) service which allows us to 
> reload a particular metadata entry in the metadata- providers.xml file instead of the entire service.
> 
> 
> --
> Ryan Rumbaugh

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=Cu5g146wZdoqVuKpTNsYHeFX_rg6kWhlkLF8Eft-wwo&r=x_uM7qpgXzh_70B3Dgey5pfdCFAWMhq-IedVFyaAIwg&m=cAdU1OTtRd873oywaiJX0tAk_vqAaw9N1pjpPuynkdc&s=CF6Vq_kpILDQXKFMngK8TZZ-dcTa0_a_bCa49_Ja2nY&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list