Menu
▾
▴
Re: [Unity-idm-discuss] IdP metadata are not reloaded correct
|
From: Sander A. <sa....@fz...> - 2017-04-26 05:15:49
|
Hi Krzysztof, thank you for your efforts. The IdP was from CSC. If it appears again, I will contact you again. Best regards, Sander Am Dienstag, den 25.04.2017, 21:45 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze: > > Hi Sander, > > > > W dniu 19.04.2017 o 11:34, Sander Apweiler pisze: > > > Hi Krzysztof, > > > > > > I got a problem report by an user about broken login with his > > > home IdP. > > > The IdP changed his certificate and it was not trusted by unity. > > > > > > [2017-04-19 07:32:47,210 [qtp304966690-1742] > > > WARN unity.server.saml.SAMLRetrievalUI - SAML response > > > verification or > > > processing failed > > > pl.edu.icm.unity.server.authn.AuthenticationException: The SAML > > > response > > > is either invalid or is issued by an untrusted identity > > > provider.] > > > > > > This IdP comes with eduGain metadata. The Metadata URL is updated > > > once > > > per hour. Reloading SAML authenticator did not solve the problem. > > > A > > > restart solved the problem. But restarts during the the working > > > time are > > > not very welcome. Is there another solution to solve this > > > problem? > > > > I'll look into it - likely some cache is not purged after metadata > > reload. > > I've run quite a few tests and unfortunately I can not reproduce > this > issue. All cases that I tried (e.g. with changed certificate DN in > update or without DN change) worked fine - immediately after > metadata > reload a new certificate was used. > > I've found however another nasty problem related to SAML metadata > reloading (#601 in tracker). While this other problem alone is > rather > not related with your case, its fix could also solve your issue: a > small > refactoring was applied to the overal process of metadata reloading > - > which should be now simplified and more stable. > > All in all if you notice such issue again please let us know, > providing > as much of context as possible. Especially what was the IdP. I have > some > saved eduGAIN metadata dumps so chances are that I'll be able to > reproduce the setup before and after update. > > Best > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
