SP starts up and runs but systemd things it timed out
Herron, Joel D
herronj at uww.edu
Thu Sep 9 19:20:43 UTC 2021
So something is afoot then, I'm not loading any aggregates at all just my local IDP metadata file which is maybe 5kb.
Endpoints, certs, metadata, everything no errors or warnings the last thing I see in the log is:
2021-09-09 14:08:20 INFO Shibboleth.Listener : listener service starting
Startup to that line is less than a second.
Systemctl start shibd.service just hangs there till it timeouts and then begins the infinite loop
Description=Shibboleth Service Provider Daemon
ExecStart=/opt/shibboleth-sp/sbin/shibd -f -F
Metadata section from shib2.xml
<!-- metadata provider. -->
<MetadataProvider type="XML" url="XXXXXXX"
<MetadataFilter type="RequireValidUntil" maxValidityInterval="20734000"/>
<MetadataFilter type="Signature" certificate="XXXXXX"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" url="XXXXXXXX"
I can provide the shibd log if that'd be helpful
On 9/9/21, 1:46 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
* Herron, Joel D <herronj at uww.edu> [2021-09-09 20:29]:
> I saw some mention of TimeoutStartSec as a potential workaround by
> setting it to something large like 2 or 4hrs but that seems like a
> bandaid for a miss configuration.
It is what it is. Verifying the signature on very large metadata
aggregates (e.g. the size of InCommon) takes an absurdly long time
these days. The technical reasons for that are well-known but
practically impossible to replace (as discussed on this list).
(I.e., if you're NOT verifying signatures here with the SP and/or the
SP does NOT load a very large metadata aggregate then something else
is afoot and you'd need to share more technical details.)
So the best workaround would be to stop loading very large aggregates,
in the case of InCommon you'd use their MDQ service instead (see
If that doesn't work for you for some reason I find that one of two
workarounds are very much tolerable:
1.a Make your the MetadataFilter of type=Signature has an
verifyBackup="false" XML attribute set.
1.b Disable systemds timeout *once* (set to "infinite") and let the SP
verify the metadata and write out a backup copy as usual.
Once that's done even restarts are very fast because of the previously
validated backup copy.
2. Download and verify metadata outside of the Shib SP (e.g. using a
shell script with curl, xmllint, xmlsec1 or XmlSecTool) and if all
your checks succeed move the metadata to a file system location the
Shib SP is configured to look for it, but without a MetadataFilter
of type=Signature in the SP.
In both cases you'll need to trust the local file system, but since
the SP loads keys and its own configuration from local files that's
not an additional worry.
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users