Metadata documents which contain ` ` are loaded and verified by shibd without problem on initial request from upstream.
If shibd subsequently attempts to read the locally cached metadata document it cannot verify the signature and the service begins to fail.
The current theory is that unexpected normalization is occurring when shibd is writing out the cached metadata document hence the subsequent invalid signature state occuring.
We've seen this happen within the AAF and it has also happened recently with an entity that was entered via eduGAIN. This seems to impact 'free text' descriptive fields in particular with my thought being the cause is copy/paste from Word documents (or similar on Windows) for these fields.
As a work around the AAF is now filtering out all instances of ` ` from metadata documents prior to signing. This has no impact on our metadata XML and ensures shibd continues to function.
Environment
$> cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core)
$> yum info shibboleth Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Installed Packages Name : shibboleth Arch : x86_64 Version : 2.5.6 Release : 3.1 Size : 4.9 M Repo : installed From repo : security_shibboleth Summary : Open source system for attribute-based Web SSO URL : http://shibboleth.net/ License : Apache 2.0 Description : Shibboleth is a Web Single Sign-On implementations based on OpenSAML : that supports multiple protocols, federated identity, and the extensible : exchange of rich attributes subject to privacy controls. : : This package contains the Shibboleth Service Provider runtime libraries, : daemon, default plugins, and Apache module(s).
Discussion of this issue is available at http://marc.info/?l=shibboleth-users&m=145853734225037
Metadata documents which contain ` ` are loaded and verified by shibd without problem on initial request from upstream.
If shibd subsequently attempts to read the locally cached metadata document it cannot verify the signature and the service begins to fail.
The current theory is that unexpected normalization is occurring when shibd is writing out the cached metadata document hence the subsequent invalid signature state occuring.
We've seen this happen within the AAF and it has also happened recently with an entity that was entered via eduGAIN. This seems to impact 'free text' descriptive fields in particular with my thought being the cause is copy/paste from Word documents (or similar on Windows) for these fields.
As a work around the AAF is now filtering out all instances of ` ` from metadata documents prior to signing. This has no impact on our metadata XML and ensures shibd continues to function.