LocalDynamic + MetadataFilters = possible bug?
Mak, Steve
makst at upenn.edu
Tue Jan 12 18:28:51 UTC 2021
Hey all,
I'm still seeing SP md reloads not picking up dynamic metadata filter entity attribute additions every now and then. And the result is complete lack of attributes because the filter rules then don't apply to the SP. The next time it reloads within the hour, the attributes come back, so it HAS to be related to this.
There's definitely something happening but nothing in the non-debug logs indicate a problem and we only see this in our production environment that is very high traffic.
The previous workaround for one SP we saw this with was to explicitly define an attribute filter policy for that SP that did not rely on the MetadataFilter. So far no reports of that SP missing attributes since. This leads me to believe SOMETHING is not working correctly with the MetadataFilter in Java.
LOG lines before the problem appears and before the problem goes away (exact match 45 minutes to an hour later):
2021-01-12 10:53:55,557 - INFO [org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter:238] - Adding new EntityAttribute (entitygroup) to EntityDescriptor (redacted sp-entityID)
2021-01-12 10:53:55,557 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver:1078] - Metadata Resolver LocalDynamicMetadataResolver md-1: Successfully loaded new EntityDescriptor with entityID 'redacted sp-entityID' from origin source
Config follows:
metadata-providers.xml (maxIdleEntityData and maxCacheDuration are the only non-default attributes)
<MetadataProvider id="md-1" xsi:type="LocalDynamicMetadataProvider" sourceDirectory="%{idp.home}/metadata/eg/somelabel"
failFastInitialization="false"
refreshDelayFactor=".75"
minCacheDuration="PT10M"
maxCacheDuration="PT1H"
maxIdleEntityData="PT1H"
removeIdleEntityData="true"
cleanupTaskInterval="PT30M">
<MetadataFilter xsi:type="EntityAttributes">
<saml:Attribute Name="entitygroup">
<saml:AttributeValue>somelabel</saml:AttributeValue>
</saml:Attribute>
<ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
</MetadataFilter>
</MetadataProvider>
attribute-filter.xml
<AttributeFilterPolicy id="afp_releaseToEntityLabel1">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch" attributeName="entitygroup" attributeValue="somelabel"/>
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
More information about the users
mailing list