Bug #3514

readMetadata.php should use existing files IDProvider.metadata.php and SProvider.metadata.php if SAML metadata could not be parsed

Added by Olivier Salaun over 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:2015-05-27
Priority:HighDue date:
Assignee:Lukas Hämmerle% Done:

70%

Category:-
Target version:1.20.1
Affected Version:

Description

Hello Lukas,

We has our Discovery Service unuseable after our federation metadata were unaccessible. Here is a proposal to make the WAYF more robust in such situations.

In our case access to the SAML metadata file was returning a 500 HTML error page, see attachement.
The SWITCH WAYF ended up loading the HTML page as a SAML metadata file. Hopefully it did not replace IDProvider.metadata.php and SProvider.metadata.php files. But on the other end it never more loads these two files because it detects that the SAML metadata file is a more recent.

Attached patch brings 3 changes:
- parseMetadata() ensures that the metadata file has a root node with name 'EntitiesDescriptor'
- created new regenerate_metadata() function
- check the return code of regenerate_metadata() in readMetadata.php and if return is false use existing IDProvider.metadata.php file

Regards

500error.html Magnifier (987 Bytes) Olivier Salaun, 2015-05-27 14:39

check_md_format_before_regenerate.patch Magnifier (3.7 KB) Olivier Salaun, 2015-05-27 14:39

History

#1 Updated by Lukas Hämmerle over 3 years ago

  • Assignee set to Lukas Hämmerle
  • Priority changed from Normal to High
  • Target version changed from 1.20 to 1.20.1

#2 Updated by Lukas Hämmerle over 3 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 70

Added patch with r2994.
Needs some more testing.

Generally, the Discovery Service should not directly consume metadata file downloaded with CURL. Metadata files should be downloaded, checked and verified with another tool like the Shibboleth Metadata Aggregator or the Shibboleth XML Sec tool (https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool) .

#3 Updated by Lukas Hämmerle almost 3 years ago

Has been in use for several months on AAI Test WAYF.

#4 Updated by Lukas Hämmerle almost 3 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF