Shibboleth(3.2.3) : Parsing of the Incommons-Medata.xml taking huge amount of time

Max Spicer max.spicer at york.ac.uk
Thu Apr 14 11:03:53 UTC 2022


Am I right in thinking that the v4 equivalent of this is the
alwaysVerifyTrustedSource attribute on a SignatureValidation filter? This
defaults to false so will trust a FileBackedHTTPMetadataProvider's backup
file by default.

https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631654/SignatureValidationFilter

Max Spicer

On Thu, 14 Apr 2022 at 10:33, Peter Schober via users <users at shibboleth.net>
wrote:

> * Siddharth Satyakam via users <users at shibboleth.net> [2022-04-13 19:18]:
> > When we are restarting our Shibd.service during regular
> > maintainance
>
> Adding verifyBackup="false" to your signature validation filter is all
> you need:
>
>   <MetadataFilter type="Signature" certificate="example.crt"
> verifyBackup="false"/>
>
> The exception being the very first start of the SP (or after all
> cached files have disappeared for some reason; I'm imagining this may
> be more common on containerized deployments without proper volumes for
> the cache) -- there you'd either accept the very long startup time
> (since it's a new service) or resort to downloading and checking the
> signature yourself (e.g. using XmlSecTool or xmlsec1) and then moving
> the metadata into place.
>
> -peter
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Max Spicer - Identity Systems Developer
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220414/bc1862c9/attachment.htm>


More information about the users mailing list