readMetadata.php should use existing files IDProvider.metadata.php and SProvider.metadata.php if SAML metadata could not be parsed
|Assignee:||Lukas Hämmerle||% Done:|
We has our Discovery Service unuseable after our federation metadata were unaccessible. Here is a proposal to make the WAYF more robust in such situations.
In our case access to the SAML metadata file was returning a 500 HTML error page, see attachement.
The SWITCH WAYF ended up loading the HTML page as a SAML metadata file. Hopefully it did not replace IDProvider.metadata.php and SProvider.metadata.php files. But on the other end it never more loads these two files because it detects that the SAML metadata file is a more recent.
Attached patch brings 3 changes:
- parseMetadata() ensures that the metadata file has a root node with name 'EntitiesDescriptor'
- created new regenerate_metadata() function
- check the return code of regenerate_metadata() in readMetadata.php and if return is false use existing IDProvider.metadata.php file
#2 Updated by Lukas Hämmerle over 4 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 70
Added patch with r2994.
Needs some more testing.
Generally, the Discovery Service should not directly consume metadata file downloaded with CURL. Metadata files should be downloaded, checked and verified with another tool like the Shibboleth Metadata Aggregator or the Shibboleth XML Sec tool (https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool) .