[Shib-Users] timeout get SP metadata and reloading IDP

41 views
Skip to first unread message

Filippo

unread,
Oct 7, 2009, 9:49:30 AM10/7/09
to shibbole...@internet2.edu
Hi,
I've done some tests using "File Backed HTTP Metadata Provider" like this one :
<MetadataProvider
id="sp.mydomain.org"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
cacheDuration="3600"
requestTimeout="10000"
metadataURL="http://sp.mydomain.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/sp.mydomain.org.xml"
/>

There are no problems if the service (shibd or apache) on
sp.mydomain.org is down and I reload the IDP ,
but if the server SP is down (not only the service, but also his IP
address is not responding) there is a loooooooong timeout when I try
to restart up the IDP.

Is possible to reduce this timeout ?

Thank you in advance!

Filippo

Scott Cantor

unread,
Oct 7, 2009, 10:19:42 AM10/7/09
to shibbole...@internet2.edu
Without answering the specific question (since I don't know the answer), I
just want to make sure you understand that there is no actual security in
that approach. Not even a little (such as would be the case with
self-asserting metadata at an SSL protected site).

That should be obvious, so if it isn't, telling us why so we can write some
material to explain that would also help.

In parallel, I suppose it's worth pointing out that the timeout question is
itself somewhat academic given that such a configuration should only be used
in a testing scenario.

-- Scott


Filippo

unread,
Oct 8, 2009, 10:51:01 AM10/8/09
to shibbole...@internet2.edu
On Wed, Oct 7, 2009 at 4:19 PM, Scott Cantor <cant...@osu.edu> wrote:
> Without answering the specific question (since I don't know the answer), I
> just want to make sure you understand that there is no actual security in
> that approach. Not even a little (such as would be the case with
> self-asserting metadata at an SSL protected site).

yes , I Know . It is a testing scenario and I was in a hurry.

> In parallel, I suppose it's worth pointing out that the timeout question is
> itself somewhat academic given that such a configuration should only be used
> in a testing scenario.

I suppose that there is a problems with timeouts.

New config :


<MetadataProvider
id="sp.mydomain.org"
xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"

cacheDuration="10"
requestTimeout="10000"
metadataURL="https://www.NotSpDomain.org/myCustomMetadata"
backingFile="/opt/shibboleth-idp/metadata/sp.mydomain.org.xml"
/>

If I shutdown the server www.NotSpDomain.org and I restart the
Shibboleth service on the IDP , this will happen :

16:16:21.435 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:228] -
Refreshing cache of metadata from URL
https://www.NotSpDomain.org/myCustomMetadata, max cache duration set
to 10 seconds
16:16:21.435 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:271] -
Fetching metadata document from remote server
16:29:41.476 - WARN
[org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider:101]
- Unable to read metadata from
https://www.NotSpDomain.org/myCustomMetadata attempting to read it
from local backup
java.net.ConnectException: Connection timed out

and the IDP is still not responding, instead if i stop only Apache
server on the SP , it 'll work good.

Probably here we need a parameter like "wget --tries=1 --timeout=10"


suggestions ?

thanks

Filippo

Reply all
Reply to author
Forward
0 new messages