Shibboleth(3.2.3) : Parsing of the Incommons-Medata.xml taking huge amount of time

Peter Schober peter.schober at
Thu Apr 14 09:33:15 UTC 2022

* Siddharth Satyakam via users <users at> [2022-04-13 19:18]:
> When we are restarting our Shibd.service during regular
> maintainance

Adding verifyBackup="false" to your signature validation filter is all
you need:

  <MetadataFilter type="Signature" certificate="example.crt" verifyBackup="false"/>

The exception being the very first start of the SP (or after all
cached files have disappeared for some reason; I'm imagining this may
be more common on containerized deployments without proper volumes for
the cache) -- there you'd either accept the very long startup time
(since it's a new service) or resort to downloading and checking the
signature yourself (e.g. using XmlSecTool or xmlsec1) and then moving
the metadata into place.


More information about the users mailing list