Shibboleth(3.2.3) : Parsing of the Incommons-Medata.xml taking huge amount of time
Peter Schober
peter.schober at univie.ac.at
Thu Apr 14 09:33:15 UTC 2022
* Siddharth Satyakam via users <users at shibboleth.net> [2022-04-13 19:18]:
> When we are restarting our Shibd.service during regular
> maintainance
Adding verifyBackup="false" to your signature validation filter is all
you need:
<MetadataFilter type="Signature" certificate="example.crt" verifyBackup="false"/>
The exception being the very first start of the SP (or after all
cached files have disappeared for some reason; I'm imagining this may
be more common on containerized deployments without proper volumes for
the cache) -- there you'd either accept the very long startup time
(since it's a new service) or resort to downloading and checking the
signature yourself (e.g. using XmlSecTool or xmlsec1) and then moving
the metadata into place.
-peter
More information about the users
mailing list