Comments (8)
IMHO a good MDQ client could take advantage of cacheDuration and validUntil, but right, a local MDX server is also sufficient.
Anyway, reloading metadata on every request seems to be a conceptual weakness to me.
I've managed to make SaToSa perform the MDQ, but I could not get it to verify the signature. I'd wait for the answer from PySAML devs until I share it, I might do it wrong.
from satosa.
For inacademia we use mdq support in pysaml2 instead of locally cached metadata for this reason. This seems to work very well.
from satosa.
Even using mdq for every request is silly, IMHO for a production service some caching is probably necessary.
Anyway I could continue if I could figure out how to make pysaml to use mdq, but I haven't found any docs/examples on the internet.
from satosa.
Its certainly not "silly". A good MDQ setup includes a cache layer so its just a network roundtrip away. In the InAcademia case it is likely that you'd get very little effect from moving the cache into the SATOSA process as opposed to having it in the MDQ server but if you really want a cache "close" to SATOSA you can run an MDQ instance on the loopback interface.
from satosa.
you may want to log an issue with pysaml2 - I don't think @rohe watches this project
from satosa.
This only happens when SAMLMirrorFrontend is used. What actually happens is that metadata are read again because the configuration is reloaded every time the SAMLMirrorFrontend has to handle an Authentication Request.
The reason is that the aptly named
def handle_authn_request
https://github.com/SUNET/SATOSA/blob/master/src/satosa/frontends/saml2.py#L453
calls _load_idp_dynamic_endpoints
def handle_authn_request(self, context, binding_in):
"""
Loads approved endpoints dynamically
See super class satosa.frontends.saml2.SAMLFrontend#handle_authn_request
:type context: satosa.context.Context
:type binding_in: str
:rtype: satosa.response.Response
"""
idp = self._load_idp_dynamic_endpoints(context)
return self._handle_authn_request(context, binding_in, idp)
which contains a call of load()
of the config object ( https://github.com/rohe/pysaml2/blob/master/src/saml2/config.py ) that will cause it to reload the config and parse the metadata into an internal structure on which to operate.
From a functionality perspective, the process of building a new Server
object makes sense but the subsequent reload of the metadata is unnecessary.
The existing self.idp Server
object can be used and extended by _load_idp_dynamic_endpoints
or the existing self.idp.metadata can be passed as a parameter to load()
(which will require a pull request to be accepted in pysaml2 ) so that it won't need to load the metadata from the sources defined at the frontend configuration file.
from satosa.
also related to #90 which makes this issue even more silly and urgent
from satosa.
@bajnokk the answer is use MDQ for huge metadata stores.
Please let us know for additional stuffs otherwise this Issue will be closed in weeks
thank you
from satosa.
Related Issues (20)
- feat: ContextProcessors middlewares for doing rewrite operations on session contexts HOT 1
- Metadata reload functionality missing in pysaml 7.0.1 HOT 3
- Changing STATE_ENCRYPTION_KEY causes LZMAError when retrieving cookies HOT 2
- Mailing List Link broken HOT 1
- Satosa OIDC Frontend without Database? HOT 1
- Can't use paths in BASE HOT 2
- Unsupported binding HTTP-POST with MDQ HOT 6
- name_id_format hint in the saml2 backend is outdated HOT 1
- Emit no-cache headers for SAML messages HOT 1
- satosa-saml-metadata script could be more flexible wrt output file names HOT 1
- Support more client authentication methods by the OIDC frontend HOT 1
- Feature request: SAML2 Backend key/value store to store request IDs for running multiple instances HOT 1
- [Feature Request] Alpine based Dockerfile HOT 2
- Microservices: Unexpected behaviour of Hasher & HashProcessor HOT 5
- Attributes not forwarded to SP HOT 2
- Stateless and Extra Token Claim Config does not work together HOT 2
- Allow configuring of CORS allow origin headers HOT 1
- `extra_scopes` are always of type `list` HOT 2
- MDQ always uses sha1 entityId encoding, but some MDQ server only handle percent-encoding HOT 4
- Additional methods to set AuthContextClass from attributes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from satosa.