I’m having trouble getting the new DS to use a metadata source in my config which contains only one entry. This has been in the config for years and only 1.2.0 is having a problem (identical config in 1.1.3 works as expected).
For example, we have a categorized (list of lists=true) DS which lists protectnetwork.org as its own “federation” in the left side text box.
Upgrading an existing CDS from 1.1.3 to 1.2.0 makes protectnetwork disappear from the CDS page (no changes were made to wayfconfig.xml during the upgrade). I’ve tried enclosing their metadata in an EntitiesDescriptor, but that didn’t help. I can put their entity metadata into either fed1 or fed2 metadata and it shows up in the list just fine.
Here’s the relevant config (fed1 and fed2 are listed in the CDS, while protectnetwork is not):
<MetadataProvider
displayName="ProtectNetwork Login"
identifier="protnet"
backingFile="/opt/shibboleth-ds/metadata/protectnetwork-metadata.xml"
url="http://www.protectnetwork.org/protectnetwork-metadata.xml"/>
<DiscoveryServiceHandler
location=".+/My_CDS.ds"
jspFile="wayf-cds.jsp"
errorJspFile="wayferror-cds.jsp"
provideList="true"
provideListOfList="true"
showUnusableIdPs="true"
default="false">
<Federation identifier="fed1"/>
<Federation identifier="fed2"/>
<Federation identifier="protnet"/>
<PluginInstance identifier="CookiePlugin"/>
</DiscoveryServiceHandler>
Is there something else I might need to set in the config for the new version?
Thanks!
A major motivation point of the 1.1.3-> 1.2 upgrade was that no configuration change should be needed; but that you could make
changes to take advantage of all the new options if you wanted. So if something is needed, well that would be a bug.
I’ve not been able to reproduce this locally, so I’m not sure what to suggest. AFAICS you are correctly configured.
I know you'll have checked the logs at debug so I won't offend you by asking. Have you tried deleting the spool file
(/opt/shibboleth-ds/metadata/protectnetwork-metadata.xml) just in case that is implicated?
/Rod
> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Caskey, Paul
> Sent: 19 March 2012 21:28
> To: us...@shibboleth.net
> Subject: issue with CDS 1.2.0?
>
> I’m having trouble getting the new DS to use a metadata source in my config which contains only one
> entry. This has been in the config for years and only 1.2.0 is having a problem (identical config in
> 1.1.3 works as expected).
>
> For example, we have a categorized (list of lists=true) DS which lists protectnetwork.org as its own
> “federation” in the left side text box.
>
> Upgrading an existing CDS from 1.1.3 to 1.2.0 makes protectnetwork disappear from the CDS page (no
> changes were made to wayfconfig.xml during the upgrade). I’ve tried enclosing their metadata in an
> EntitiesDescriptor, but that didn’t help. I can put their entity metadata into either fed1 or fed2
> metadata and it shows up in the list just fine.
>
> Here’s the relevant config (fed1 and fed2 are listed in the CDS, while protectnetwork is not):
>
[Snip]
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Here's the log:
10:02:36.441 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:423] - New metadata succesfully loaded for 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:02:36.441 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:271] - Next refresh cycle for metadata provider 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur on '2012-03-20T18:02:36.395Z' ('2012-03-20T13:02:36.395-05:00' local time)
No WARN or ERROR messages in the log.
And, there are no metadata filters (yet).
Turn on debug logging for both the CDS and
'org.opensaml.saml2.metadata.provider' just to be sure everything is
covered.
On 3/20/12 11:34 AM, Caskey, Paul wrote:
> showUnusableIdPs="true" should take care of that, right?
> If so, I have that set for this DiscoveryServiceHandler.
>
> And, there are no metadata filters (yet).
--
Are you using DS or WAYF protocol to approach the DS? There shouldn't be a difference (modulo
https://issues.shibboleth.net/jira/browse/SDSJ-102) which should not apply here since that IdP does have a shibboleth <SSO>.
Is there anything interesting shown in the logs when you approach the DS?
It grabs and processes the metadata in question just fine:
10:46:20.004 - INFO [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:159] - Loading Metadata for ProtectNetwork Login
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:341] - Metadata provider 'protnet' HTTP request timeout: 5000ms
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:231] - Metadata provider 'protnet' refreshDelayFactor set to 0.75
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:263] - Metadata provider 'protnet' maxRefreshDelay set to 14400000
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:298] - Metadata provider 'protnet' minRefreshDelay set to 300000
10:46:20.004 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:253] - Beginning refresh of metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.004 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:249] - Attempting to fetch metadata document from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.051 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:334] - Attempting to extract metadata from response to request for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:268] - Successfully fetched 6008bytes of metadata from http://www.protectnetwork.org/protectnetwork-metadata.xml
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:260] - Processing new metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:344] - Unmarshalling metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:388] - Filtering metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:490] - Applying metadata filter
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.MetadataFilterChain:54] - Applying filter edu.internet2.middleware.shibboleth.wayf.plugins.provider.BindingFilter
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:397] - Releasing cached DOM for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:400] - Post-processing metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:403] - Computing expiration time for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:406] - Expiration of metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur at 2012-03-20T19:46:20.004Z
10:46:20.082 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:423] - New metadata succesfully loaded for 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:271] - Next refresh cycle for metadata provider 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur on '2012-03-20T18:46:20.024Z' ('2012-03-20T13:46:20.024-05:00' local time)
Then, on the actual request, again, everything looks fine:
10:46:20.129 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:260] - DS initialization completed.
10:46:32.172 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:272] - Handling DS request.
10:46:32.187 - DEBUG [edu.internet2.middleware.shibboleth.wayf.DiscoveryServiceHandler:585] - Processing Idp Lookup for : https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [edu.internet2.middleware.shibboleth.wayf.DiscoveryServiceHandler:736] - Displaying WAYF selection page.
10:46:33.467 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:272] - Handling DS request.
> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-
> bou...@shibboleth.net] On Behalf Of Rod Widdowson
> Sent: Tuesday, March 20, 2012 10:45 AM
> To: 'Shib Users'
> Subject: RE: issue with CDS 1.2.0?
>
> > > de r:423] - New metadata succesfully loaded for
If I create a local file with an EntitiesDescriptor containing both my SP and the ProtectNetwork IdP, then the DS displays ProtectNetwork in the left-side text box as a viable option.
If that same local file doesn't have my SP in the EntitiesDescriptor, then the PN option is not displayed.
FWIW, I have showUnusableIdPs="true" set in both the Default element and in this particular DiscoveryServiceHandler.
> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-
> bou...@shibboleth.net] On Behalf Of Caskey, Paul
> Sent: Tuesday, March 20, 2012 11:01 AM
> To: Shib Users
> Subject: RE: issue with CDS 1.2.0?
>
> r:423] - New metadata succesfully loaded for
> 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
> 10:46:20.082 - INFO
> [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvide
https://issues.shibboleth.net/jira/browse/SDSJ-108