Gluu Shibboleth brought down by metadata

By: David van Hoose named 27 Sep 2020 at 9:10 a.m. CDT

7 Responses
David van Hoose gravatar
We restarted the *idp* service this morning to enable several new configurations. One metadata was not parsing according to the *idp-warn.log* file. When this happens, the entire Gluu Shibboleth instance fails and all accesses return a 503. We removed the Canvas trust relationship from our configuration, so the other 60 trust relationships would function. Since we removed the Canvas trust relationship, users can now login. To rule out the 60 other configurations, we added the Canvas metadata via a file to a test instance with no other trust relationships. The result is that Gluu Shibboleth does not work. I have attached the Canvas metadata XML. I see nothing wrong with the metadata and we validated the metadata with OneLogin. You can observe the problem by using the attached metadata with a new trust relationship and then restarting the *idp* service. Here is what I see repeated in the *idp-warn.log* file. >2020-09-27 13:55:38,808 - - ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:449] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Unable to unmarshall metadata 2020-09-27 13:55:38,809 - - ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:364] - Metadata Resolver FilesystemMetadataResolver SiteSP1: Error occurred while attempting to refresh metadata from '/opt/shibboleth-idp/metadata/AFE14DA7FAD7F545000265E63CE200061FF58C2E-sp-metadata.xml' I have verified that the file exists. This was working prior to the restart this morning. Looking at the file, I suspect the issue is with the below element. ><md:RequestedAttribute Name=""/> What are your thoughts? Regardless of whether the metadata is bad, the entire Gluu Shibboleth instance should not be brought down by an error in a single trust relationship.
CentOS 7.8
closed

Answers

By Mohib Zico staff 27 Sep 2020 at 9:16 a.m. CDT

Copy
Mohib Zico gravatar
>> Metadata Resolver FilesystemMetadataResolver SiteSP1: Unable to unmarshall metadata Yes, that definitely means... metadata is not good.

By Mohib Zico staff 27 Sep 2020 at 9:16 a.m. CDT

Copy
Mohib Zico gravatar
>> Regardless of whether the metadata is bad, the entire Gluu Shibboleth instance should not be brought down by an error in a single trust relationship. Unfortunately, it does. That's how shibboleth works.

By David van Hoose named 28 Sep 2020 at 9:54 a.m. CDT

Copy
David van Hoose gravatar
@Mohib.Zico, I fixed the issue by removing the offending line from the metadata and loading by file. We have a ticket open to Canvas to resolve the invalid element. Is the version of Shibboleth, that is included with Gluu, the latest? Is it supported? It would be would really good support if Gluu took point with Shibboleth in order to prevent these production outages.

By Mohib Zico staff 28 Sep 2020 at 12:18 p.m. CDT

Copy
Mohib Zico gravatar
Hi David, >> Is the version of Shibboleth, that is included with Gluu, the latest? Gluu Server 4.2.1 has the latest. >> Is it supported? Sorry, supported what? >> It would be would really good support if Gluu took point with Shibboleth in order to prevent these production outages. I will definitely discuss issue internally. Thanks!

By David van Hoose named 05 Oct 2020 at 7:24 a.m. CDT

Copy
David van Hoose gravatar
@Mohib.Zico, sorry for the late response. Is Shibboleth directly or indirectly supported by Gluu?

By Mohib Zico staff 05 Oct 2020 at 7:38 a.m. CDT

Copy
Mohib Zico gravatar
>> Is Shibboleth directly or indirectly supported by Gluu? Sorry, I think I didn't understand your question.

By Mohib Zico staff 12 Oct 2020 at 12:55 a.m. CDT

Copy
Mohib Zico gravatar
Please reopen the ticket if required. Thanks!

Post an answer