shibboleth-dev - Re: [Shib-Dev] OnDemand MetadataProvider
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] OnDemand MetadataProvider
- Date: Thu, 06 Jan 2011 05:07:49 -0500
- Organization: Itumi, LLC
You could create such an extension but when it comes down to it, it's really just a tradeoff. Either you want really fast updates and therefore have to have a short polling time (and deal with the load that creates) or you don't.
A different approach you could take is to look at the docs for the HTTP client that the provider is using. It does support socket keepalive and HTTP pipelining. Using both, or even just socket keepalive, would drastically reduce the cost of making a bunch of quick requests.
On 1/6/11 4:17 AM, Halm Reusser wrote:
Hi,
We are developing and deploying a virtual organization platform. A
requirement is that the IdPs of the users are as fast as possible aware
of new virtual organizations (in metadata).
So the effective time is metadata publication time of the VO platform
and the refresh time of the IdP, which is in our current setup 2h in
worst case.
Reduce the publication time to "on change" can be done.
We are thinking about to reduce the IdP refresh as well as to minimize
requests of the IdP to the metadata publication URL.
An approach might be to introduce a HTTPMetadataProvider with a refresh
delay of PT1M for example. As we expect not a high change rate, this
will cause a lot of unnecessary HTTP HEAD requests.
Our question is, might it be useful to provide a "OnDemand
MetadataProvider" which extends the HTTPMetadataProvider or is just a
configuration option of it and provides the following feature:
If entity for which metadata should be retrieved is unknown in memory
metadata check remote metadata if changed (HEAD) if yes, refresh,
continue as usual.
What do you think about it?
One issue bubbled up while discussing this feature was a potential
vulnerability to DoS attacks.
An attacker might send a faked authN requests to the IdP with unknown
entityIds. For each authN request a the IdP will do a HTTP HEAD request.
Assuming that a authN request is more expensive than a HTTP HEAD request
this concern might be ignored.
-Halm
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [Shib-Dev] OnDemand MetadataProvider, Halm Reusser, 01/06/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Chad La Joie, 01/06/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Lukas Hämmerle, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Chad La Joie, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Lukas Hämmerle, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Patrik Schnellmann, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Halm Reusser, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Chad La Joie, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Patrik Schnellmann, 01/10/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Lukas Hämmerle, 01/10/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Halm Reusser, 01/10/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Halm Reusser, 01/07/2011
- Re: [Shib-Dev] OnDemand MetadataProvider, Chad La Joie, 01/06/2011
Archive powered by MHonArc 2.6.16.