InCommon metadata support

["Cantor, Scott" <>]

> makes the startup take about 4 seconds from the first log entry (INFO
> OpenSAML.Config : opensaml 2.5.5 library initialization complete) until it’s
> ready to respond (INFO Shibboleth.Listener : listener service starting).  
> That
> of course eliminates all security of the metadata so not exactly something
> that can be done in any sort of real environment.

Ok, thanks for checking.

> With the MetadataFilter in place, it takes 90-120 seconds.  So something 
> with
> the signature process is chewing up a lot of time.   I’d probably suspect
> something in the XML canonicalization that happens as part of signature
> validation.  It seemed to be doing a ton of malloc calls, so I suspect that
> there’s something in the XML canonicalization that does that, and it 
> increases
> exponentially with the size of the metadata file being validated.

Yes, it does, that's more or less known about that code (it's not mine, I'm 
just stuck as the only maintainer left). I had thought the DOM portion alone 
was nearly as bad, but apparently not. Most of the performance issues with it 
had been reported on even larger files, but it's not that surprising.

> There’s likely little that can be done without significant effort into 
> profiling
> the XML libraries and seeing exactly what they’re doing.

And there's nobody to do that work, frankly. We shipped a solution to this 
problem years ago, but getting people to actually use it is up to the 
federations.

-- Scott