AW: Timeout when requesting status page while metadata refresh

Bergmann, Clemens clemens.bergmann at
Fri Sep 3 08:40:11 UTC 2021


thanks again for the idea on using the metrics endpoint. I have configured access for the LB it will be switched over to the path "/idp/profile/admin/metrics/net.shibboleth.idp.version".

On the other hand if the status page is effected by remote metadata refresh timeouts how can I be sure that the rest of the IdP operation is not? Switching the LB might even make the situation worse as the LB might think the backend server is working but users might face timeouts.

The only option I see to confidently keep this IdP running is to only use remote metadata with sources that should be available most of the time (i.e. Federation metadata). If I read [1] correctly it does not make any recommendations regarding remote metadata availability. It only emphasizes the importance of trust and that the metadata should not expire. I am happy with metadata "not be loaded by the Shibboleth metadata resolver" when the remote-metadata  source (the remote SP) is not available for longer than "validUntil". I am not OK with user facing timeouts whenever a remote SP is not available.

Is the result a recommendation of not using remote metadata for sources other than Federation metadata?


Viele Grüße
Clemens (Bergmann)
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184

> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at> Im Auftrag von Cantor, Scott
> Gesendet: Donnerstag, 2. September 2021 15:21
> An: Shib Users <users at>
> Betreff: Re: Timeout when requesting status page while metadata refresh
> On 9/2/21, 9:17 AM, "users on behalf of Bergmann, Clemens" <users-
> bounces at on behalf of clemens.bergmann at tu-
>> wrote:
> >   thanks for the fast reply. I will look into the metrics endpoints. Do you
> have any suggestion on what metric
> > might be appropriate for LB inclusion?
> I use "port open", I have never found a compelling reason to use anything
> else. So I have no idea.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-
> unsubscribe at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <>

More information about the users mailing list