WAYF can't consume SAML metadata with IdPs only
|Assignee:||Lukas Hämmerle||% Done:|
|Affected Version:||Every version before 1.20.2|
We tried changing the configuration of our test WAYF instance to consume RENATER's new metadata feed. This metadata file includes SPs and IdPs in separate files. We configured the WAYF to load the metadata file that includes the IdPs and we disabled the $enableDSReturnParamCheck configuration parameter.
Here is what we've noticed: we had old SProvider.metadata.php and IDProvider.metadata.php staying in the wayf directory. While running the readMetadata.php the IDProvider.metadata.php gets updated, but because the SAML metadata don't include any SP, the SProvider.metadata.php did not get updated. Therefore every time a user accesses the WAYF, the code triggers the update of SProvider.metadata.php thus reloading the metadata. This function takes a lot of CPU and in the end does not update SProvider.metadata.php. This makes the service almost unuseable, given our federation's metadata file size.
I tried to remove the SProvider.metadata.php file, but then the WAYF code dies.
I suggest the code should be changed to create an empty SProvider.metadata.php file if no SP was found in the SAML metadata.
#1 Updated by Lukas Hämmerle over 2 years ago
- Status changed from New to In Progress
- Priority changed from Normal to High
- Target version set to 1.20.2
- % Done changed from 0 to 50
I could reproduce this. There is indeed a problem because the array of SPs is not properly initialized in case there are no SPs found in metadata. I will fix this in the next bugfix release. In the mean time, there is an easy fix you can apply by adding to readMetadata.php on line 229:
$metadataIDProviders = array();
$metadataSProviders = array();
#2 Updated by Olivier Salaun over 2 years ago
Thank you for your quick answer and for the quick fix.
I think this behavior of the SWITCH WAYF existing releases will force us to publish additional metadata files including both SPs and IdPs. Otherwise our institutions will have to upgrade their WAYF before using our new metadata files; that will not be scalable...
#3 Updated by Lukas Hämmerle over 2 years ago
- % Done changed from 50 to 70
- Affected Version changed from 1.20.1 to Every version before 1.20.2
You're welcome.If the institutions have $useSAML2Metadata = true and metadata contains only IdPs, then there are indeed only the following options:
- Set $useSAML2Metadata = false (and update IdP entries manually)
- Update to 1.20.2 (once it is released)
- Add a single (dummy) SP to the metadata as a workaround for this problem.