Shibboleth(3.2.3) : Parsing of the Incommons-Medata.xml taking huge amount of time

Max Spicer max.spicer at
Thu Apr 14 11:03:53 UTC 2022

Am I right in thinking that the v4 equivalent of this is the
alwaysVerifyTrustedSource attribute on a SignatureValidation filter? This
defaults to false so will trust a FileBackedHTTPMetadataProvider's backup
file by default.

Max Spicer

On Thu, 14 Apr 2022 at 10:33, Peter Schober via users <users at>

> * Siddharth Satyakam via users <users at> [2022-04-13 19:18]:
> > When we are restarting our Shibd.service during regular
> > maintainance
> Adding verifyBackup="false" to your signature validation filter is all
> you need:
>   <MetadataFilter type="Signature" certificate="example.crt"
> verifyBackup="false"/>
> The exception being the very first start of the SP (or after all
> cached files have disappeared for some reason; I'm imagining this may
> be more common on containerized deployments without proper volumes for
> the cache) -- there you'd either accept the very long startup time
> (since it's a new service) or resort to downloading and checking the
> signature yourself (e.g. using XmlSecTool or xmlsec1) and then moving
> the metadata into place.
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at

Max Spicer - Identity Systems Developer
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list