Menu
▾
▴
Re: [Unity-idm-discuss] IdP metadata are not reloaded correct
|
From: Krzysztof B. <kb...@un...> - 2017-04-25 19:46:33
|
Hi Sander, W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze: > Hi Sander, > > W dniu 19.04.2017 o 11:34, Sander Apweiler pisze: >> Hi Krzysztof, >> >> I got a problem report by an user about broken login with his home IdP. >> The IdP changed his certificate and it was not trusted by unity. >> >> [2017-04-19 07:32:47,210 [qtp304966690-1742] >> WARN unity.server.saml.SAMLRetrievalUI - SAML response verification or >> processing failed >> pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response >> is either invalid or is issued by an untrusted identity provider.] >> >> This IdP comes with eduGain metadata. The Metadata URL is updated once >> per hour. Reloading SAML authenticator did not solve the problem. A >> restart solved the problem. But restarts during the the working time are >> not very welcome. Is there another solution to solve this problem? > > I'll look into it - likely some cache is not purged after metadata reload. I've run quite a few tests and unfortunately I can not reproduce this issue. All cases that I tried (e.g. with changed certificate DN in update or without DN change) worked fine - immediately after metadata reload a new certificate was used. I've found however another nasty problem related to SAML metadata reloading (#601 in tracker). While this other problem alone is rather not related with your case, its fix could also solve your issue: a small refactoring was applied to the overal process of metadata reloading - which should be now simplified and more stable. All in all if you notice such issue again please let us know, providing as much of context as possible. Especially what was the IdP. I have some saved eduGAIN metadata dumps so chances are that I'll be able to reproduce the setup before and after update. Best Krzysztof |
