Shibboleth(3.2.3) : Parsing of the Incommons-Medata.xml taking huge amount of time
max.spicer at york.ac.uk
Thu Apr 14 11:03:53 UTC 2022
Am I right in thinking that the v4 equivalent of this is the
alwaysVerifyTrustedSource attribute on a SignatureValidation filter? This
defaults to false so will trust a FileBackedHTTPMetadataProvider's backup
file by default.
On Thu, 14 Apr 2022 at 10:33, Peter Schober via users <users at shibboleth.net>
> * Siddharth Satyakam via users <users at shibboleth.net> [2022-04-13 19:18]:
> > When we are restarting our Shibd.service during regular
> > maintainance
> Adding verifyBackup="false" to your signature validation filter is all
> you need:
> <MetadataFilter type="Signature" certificate="example.crt"
> The exception being the very first start of the SP (or after all
> cached files have disappeared for some reason; I'm imagining this may
> be more common on containerized deployments without proper volumes for
> the cache) -- there you'd either accept the very long startup time
> (since it's a new service) or resort to downloading and checking the
> signature yourself (e.g. using XmlSecTool or xmlsec1) and then moving
> the metadata into place.
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
Max Spicer - Identity Systems Developer
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users