Shibboleth Developers

[Ian Young <>]

Chad La Joie wrote:

> How are you currently fetching your metadata?

The IdP in question is configured to look at a particular file using the 
standard XMLMetadata provider.  We use metadatatool to suck the metadata 
down, verify the signature and then overwrite that file directly.

> Is it cached somewhere? 
> Was that cache updated when you changed the metadata?

I think I'm saying that we don't do any of that, outside of the IdP 
itself.  I did verify that the file itself had changed, and as I say it 
has always been my experience that, for example, new SPs have been no 
problem with this arrangement.

> The code that 
> uses that particular is the ShibbolethTrust code in the common.provider 
> package.  You pass in a RoleDescriptor for the entity which is fetched 
> from the metadata provider that you have configured.  If the provider is 
> caching the data and wasn't updated that would cause the problem.  The 
> trust code does not do any caching, so in theory you shouldn't need to 
> restart.

That's what I thought.  Might be my imagination, but the condition 
persisted for some hours before we thought to try a restart.

By coincidence it looks like we will be doing another similar change 
soon, so we can perhaps see whether it is repeatable.  Kind of a slow 
business debugging something that only happens twice in a blue moon, though.

        -- Ian