SP metadata cache keeps growing
Peter Schober
peter.schober at univie.ac.at
Thu Feb 27 15:00:29 EST 2020
* Cantor, Scott <cantor.2 at osu.edu> [2020-02-27 20:49]:
> I have not seen anything resembling that bad a result, so that means
> something's probably really wrong. Maybe the signature step is that
> bad now, but I didn't think so. I know the parsing isn't.
>From the log I think it's signature validation:
2020-02-27 19:39:03 INFO Shibboleth.Application : building MetadataProvider of type XML...
2020-02-27 19:39:03 INFO OpenSAML.MetadataProvider : building MetadataFilter of type RequireValidUntil
2020-02-27 19:39:03 INFO OpenSAML.MetadataProvider : building MetadataFilter of type Signature
2020-02-27 19:39:03 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/aconet-metadata-signing.crt)
2020-02-27 19:39:03 INFO XMLTooling.CredentialResolver.File : no private key resolved, usable for verification/trust only
2020-02-27 19:39:03 INFO OpenSAML.MetadataProvider : building MetadataFilter of type EntityRoleWhiteList
2020-02-27 19:39:08 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (http://eduid.at/md/aconet-interfed.xml)
2020-02-27 19:39:10 INFO OpenSAML.MetadataProvider : applying metadata filter (RequireValidUntil)
2020-02-27 19:39:10 INFO OpenSAML.MetadataProvider : applying metadata filter (Signature)
(still waiting)
But I can easily test this with that filter removed (well, tomorrow).
> If it's the signature, then it's first time mostly. If not, it's every time.
Good point, though I haven't checked the times w/o xmldsig validation.
> As always, MDQ is fine, until you need discovery.
ACK, though I still need to stand up a MDQ server and produce
thousands of small signed files (which will be fun using my
smartcard-HSMs...).
I haven't even heard any suggested activity wrt SAMLDS + MDQ, but then
I'm not that closely involved with GEANT, REFEDS, etc. anymore.
> I don't know what to say about that, I guess SeamlessAccess or bust.
In light of SA not ever remembering your used IDPs when blocking
cross-site access to the localStorage object (e.g. when blocking all
third-party cookies, as I do in every browser on every machine) that
significantly worsens the UX compared to e.g. local EDS deployments --
though ironically (or not) only for the privacy-concerned.
I don't think "Works well unless you care about your privacy" will be
an easy sell, especially to library folks, but then this has been
pointed out a year ago[1] (as I have been made aware) and I don't see
much resonance of that critique anywhere.
-peter
[1] https://go-to-hellman.blogspot.com/2019/05/ra21s-recommended-technical-approach-is.html
More information about the users
mailing list