Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] significant slowdown in XML Signature validation

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] significant slowdown in XML Signature validation


Chronological Thread 
  • From: Tom Scavo <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] significant slowdown in XML Signature validation
  • Date: Thu, 18 Feb 2016 12:52:35 -0500

On Thu, Feb 18, 2016 at 11:24 AM, Cantor, Scott
<>
wrote:
>> I wrote some scripts to take the InCommon metadata file, split it into two
>> files - one containing just SPs, the other containing IDPs, and then signed
>> them both with my own certificate (with the same sha256 signatures).
>> Loading just the IDP metadata file (which is about 13MB) and starting shibd
>> takes about 20 seconds, compared to over a minute for loading the whole
>> InCommon file. Furthermore, the resident size of the shibd process drops
>> from 256MB with the full InCommon file, down to about 120MB with just the
>> IDP metadata loaded.
>
> You can easily drop roles you don't want anyway, so I doubt that's a
> material difference, though obviously the verification time is.

+1

Jeffrey, can you add this filter and see if it makes a difference?

<!-- Consume all IdP metadata in the aggregate -->
<MetadataFilter type="EntityRoleWhiteList">
<RetainedRole>md:IDPSSODescriptor</RetainedRole>
<RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
</MetadataFilter>

See: https://spaces.internet2.edu/x/XAQjAQ

>> Is there any particular reason why InCommon puts all of the SPs and IDPs
>> together into one big metadata file? As I understand it, the Service
>> Provider
>> only needs to load the metadata for IDPs, and vice-versa, so there's a lot
>> of
>> bloat in the file that doesn't really need to be there for normal
>> operations.
>
> That's obviously up to InC Ops. I would imagine the answer is that it never
> mattered much before and now it might help, but only in a relatively small
> way since one doesn't restart shibd very often.

I'll deflect that question momentarily :-) and suggest that Jeffrey
try the export aggregate. See: https://spaces.internet2.edu/x/vACVBQ

The export aggregate currently has 402 of the 424 total IdPs in the
InCommon Federation. Not sure that meets your production needs but at
least it might be useful for experimental purposes.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page