issue with CDS 1.2.0?

23 views
Skip to first unread message

Caskey, Paul

unread,
Mar 19, 2012, 5:28:27 PM3/19/12
to us...@shibboleth.net

I’m having trouble getting the new DS to use a metadata source in my config which contains only one entry.  This has been in the config for years and only 1.2.0 is having a problem (identical config in 1.1.3 works as expected).

 

For example, we have a categorized (list of lists=true) DS which lists protectnetwork.org as its own “federation” in the left side text box.

 

Upgrading an existing CDS from 1.1.3 to 1.2.0 makes protectnetwork disappear from the CDS page (no changes were made to wayfconfig.xml during the upgrade).  I’ve tried enclosing their metadata in an EntitiesDescriptor, but that didn’t help.  I can put their entity metadata into either fed1 or fed2 metadata and it shows up in the list just fine.

 

Here’s the relevant config (fed1 and fed2 are listed in the CDS, while protectnetwork is not):

 

       <MetadataProvider

                displayName="ProtectNetwork Login"

                identifier="protnet"

                backingFile="/opt/shibboleth-ds/metadata/protectnetwork-metadata.xml"

                url="http://www.protectnetwork.org/protectnetwork-metadata.xml"/>

 

 

    <DiscoveryServiceHandler

        location=".+/My_CDS.ds"

        jspFile="wayf-cds.jsp"

        errorJspFile="wayferror-cds.jsp"

        provideList="true"

        provideListOfList="true"

        showUnusableIdPs="true"

        default="false">

        <Federation identifier="fed1"/>

        <Federation identifier="fed2"/>

        <Federation identifier="protnet"/>

        <PluginInstance identifier="CookiePlugin"/>

    </DiscoveryServiceHandler>

 

 

Is there something else I might need to set in the config for the new version?

 

Thanks!

Rod Widdowson

unread,
Mar 20, 2012, 6:07:56 AM3/20/12
to Shib Users
Paul,

A major motivation point of the 1.1.3-> 1.2 upgrade was that no configuration change should be needed; but that you could make
changes to take advantage of all the new options if you wanted. So if something is needed, well that would be a bug.

I’ve not been able to reproduce this locally, so I’m not sure what to suggest. AFAICS you are correctly configured.

I know you'll have checked the logs at debug so I won't offend you by asking. Have you tried deleting the spool file
(/opt/shibboleth-ds/metadata/protectnetwork-metadata.xml) just in case that is implicated?

/Rod


> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Caskey, Paul
> Sent: 19 March 2012 21:28
> To: us...@shibboleth.net
> Subject: issue with CDS 1.2.0?
>
> I’m having trouble getting the new DS to use a metadata source in my config which contains only one
> entry.  This has been in the config for years and only 1.2.0 is having a problem (identical config in
> 1.1.3 works as expected).
>
> For example, we have a categorized (list of lists=true) DS which lists protectnetwork.org as its own
> “federation” in the left side text box.
>
> Upgrading an existing CDS from 1.1.3 to 1.2.0 makes protectnetwork disappear from the CDS page (no
> changes were made to wayfconfig.xml during the upgrade).  I’ve tried enclosing their metadata in an
> EntitiesDescriptor, but that didn’t help.  I can put their entity metadata into either fed1 or fed2
> metadata and it shows up in the list just fine.
>
> Here’s the relevant config (fed1 and fed2 are listed in the CDS, while protectnetwork is not):
>


[Snip]

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Caskey, Paul

unread,
Mar 20, 2012, 11:11:46 AM3/20/12
to Shib Users
I tried deleting the existing spool file and it did download a new file, but still does not show up in the DS.

Here's the log:
10:02:36.441 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:423] - New metadata succesfully loaded for 'http://www.protectnetwork.org/protectnetwork-metadata.xml'

10:02:36.441 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:271] - Next refresh cycle for metadata provider 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur on '2012-03-20T18:02:36.395Z' ('2012-03-20T13:02:36.395-05:00' local time)

No WARN or ERROR messages in the log.

> unsub...@shibboleth.net

Chad La Joie

unread,
Mar 20, 2012, 11:14:40 AM3/20/12
to Shib Users
Is this a case of items being filtered out before being displayed as
opposed to anything to do with the metadata itself?

Caskey, Paul

unread,
Mar 20, 2012, 11:34:00 AM3/20/12
to Shib Users
showUnusableIdPs="true" should take care of that, right?
If so, I have that set for this DiscoveryServiceHandler.

And, there are no metadata filters (yet).

Chad La Joie

unread,
Mar 20, 2012, 11:36:51 AM3/20/12
to Shib Users
Yes, that was the option I was thinking of but I'd still look in the
logs to make sure there isn't some issue around it.

Turn on debug logging for both the CDS and
'org.opensaml.saml2.metadata.provider' just to be sure everything is
covered.

On 3/20/12 11:34 AM, Caskey, Paul wrote:
> showUnusableIdPs="true" should take care of that, right?
> If so, I have that set for this DiscoveryServiceHandler.
>
> And, there are no metadata filters (yet).

--

Rod Widdowson

unread,
Mar 20, 2012, 11:45:22 AM3/20/12
to Shib Users
> showUnusableIdPs="true" should take care of that, right?
Absolutely..

Are you using DS or WAYF protocol to approach the DS? There shouldn't be a difference (modulo
https://issues.shibboleth.net/jira/browse/SDSJ-102) which should not apply here since that IdP does have a shibboleth <SSO>.

Is there anything interesting shown in the logs when you approach the DS?

Caskey, Paul

unread,
Mar 20, 2012, 12:00:38 PM3/20/12
to Shib Users
The logs indicate a normal startup - no WARN or ERROR.

It grabs and processes the metadata in question just fine:
10:46:20.004 - INFO [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:159] - Loading Metadata for ProtectNetwork Login
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:341] - Metadata provider 'protnet' HTTP request timeout: 5000ms
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:231] - Metadata provider 'protnet' refreshDelayFactor set to 0.75
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:263] - Metadata provider 'protnet' maxRefreshDelay set to 14400000
10:46:20.004 - DEBUG [edu.internet2.middleware.shibboleth.wayf.IdPSiteSet:298] - Metadata provider 'protnet' minRefreshDelay set to 300000
10:46:20.004 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:253] - Beginning refresh of metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.004 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:249] - Attempting to fetch metadata document from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.051 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:334] - Attempting to extract metadata from response to request for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:268] - Successfully fetched 6008bytes of metadata from http://www.protectnetwork.org/protectnetwork-metadata.xml
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:260] - Processing new metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:344] - Unmarshalling metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:388] - Filtering metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:490] - Applying metadata filter
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.MetadataFilterChain:54] - Applying filter edu.internet2.middleware.shibboleth.wayf.plugins.provider.BindingFilter
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:397] - Releasing cached DOM for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:400] - Post-processing metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:403] - Computing expiration time for metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:406] - Expiration of metadata from 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur at 2012-03-20T19:46:20.004Z
10:46:20.082 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:423] - New metadata succesfully loaded for 'http://www.protectnetwork.org/protectnetwork-metadata.xml'
10:46:20.082 - INFO [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:271] - Next refresh cycle for metadata provider 'http://www.protectnetwork.org/protectnetwork-metadata.xml' will occur on '2012-03-20T18:46:20.024Z' ('2012-03-20T13:46:20.024-05:00' local time)


Then, on the actual request, again, everything looks fine:
10:46:20.129 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:260] - DS initialization completed.
10:46:32.172 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:272] - Handling DS request.
10:46:32.187 - DEBUG [edu.internet2.middleware.shibboleth.wayf.DiscoveryServiceHandler:585] - Processing Idp Lookup for : https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:518] - Searching for entity descriptor with an entity ID of https://mossext.utsystem.edu/shibboleth
10:46:32.187 - DEBUG [edu.internet2.middleware.shibboleth.wayf.DiscoveryServiceHandler:736] - Displaying WAYF selection page.
10:46:33.467 - INFO [edu.internet2.middleware.shibboleth.wayf.WayfService:272] - Handling DS request.

> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-
> bou...@shibboleth.net] On Behalf Of Rod Widdowson
> Sent: Tuesday, March 20, 2012 10:45 AM
> To: 'Shib Users'
> Subject: RE: issue with CDS 1.2.0?
>

> > > de r:423] - New metadata succesfully loaded for

Caskey, Paul

unread,
Mar 20, 2012, 12:27:11 PM3/20/12
to Shib Users
It appears that the showUnusableIdPs="true" setting is not having the intended effect.

If I create a local file with an EntitiesDescriptor containing both my SP and the ProtectNetwork IdP, then the DS displays ProtectNetwork in the left-side text box as a viable option.

If that same local file doesn't have my SP in the EntitiesDescriptor, then the PN option is not displayed.

FWIW, I have showUnusableIdPs="true" set in both the Default element and in this particular DiscoveryServiceHandler.

> -----Original Message-----
> From: users-...@shibboleth.net [mailto:users-
> bou...@shibboleth.net] On Behalf Of Caskey, Paul
> Sent: Tuesday, March 20, 2012 11:01 AM
> To: Shib Users
> Subject: RE: issue with CDS 1.2.0?
>

> r:423] - New metadata succesfully loaded for
> 'http://www.protectnetwork.org/protectnetwork-metadata.xml'

> 10:46:20.082 - INFO
> [org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvide

Rod Widdowson

unread,
Mar 20, 2012, 1:49:02 PM3/20/12
to Shib Users
I had a Demorganization goof.

https://issues.shibboleth.net/jira/browse/SDSJ-108

Reply all
Reply to author
Forward
0 new messages