Shibboleth Developers

[Halm Reusser <>]

Hi,

We are developing and deploying a virtual organization platform. A
requirement is that the IdPs of the users are as fast as possible aware
of new virtual organizations (in metadata).

So the effective time is metadata publication time of the VO platform
and the refresh time of the IdP, which is in our current setup 2h in
worst case.

Reduce the publication time to "on change" can be done.

We are thinking about to reduce the IdP refresh as well as to minimize
requests of the IdP to the metadata publication URL.

An approach might be to introduce a HTTPMetadataProvider with a refresh
delay of PT1M for example. As we expect not a high change rate, this
will cause a lot of unnecessary HTTP HEAD requests.

Our question is, might it be useful to provide a "OnDemand
MetadataProvider" which extends the HTTPMetadataProvider or is just a
configuration option of it and provides the following feature:

If entity for which metadata should be retrieved is unknown in memory
metadata check remote metadata if changed (HEAD) if yes, refresh,
continue as usual.

What do you think about it?

One issue bubbled up while discussing this feature was a potential
vulnerability to DoS attacks.

An attacker might send a faked authN requests to the IdP with unknown
entityIds. For each authN request a the IdP will do a HTTP HEAD request.
Assuming that a authN request is more expensive than a HTTP HEAD request
this concern might be ignored.

-Halm