Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sometimes oxTrust won't modify Shibboleth config files when new attribute is added for a while #2319

Open
aliaksander-samuseu opened this issue Mar 24, 2023 · 1 comment
Open

Sometimes oxTrust won't modify Shibboleth config files when new attribute is added for a while #2319

aliaksander-samuseu opened this issue Mar 24, 2023 · 1 comment
Assignees
@shekhar16
Labels
bug
Milestone
4.5.1

Comments

@aliaksander-samuseu
Copy link
Contributor

aliaksander-samuseu commented Mar 24, 2023
edited

Description

When new attribute is created and then added to some SAML Trust Relationship, at times oxTrust won't actually push the changes to corresponding Shibboleth for a while. It's normally fixed by restarting "identity" service, but may create a lot of confusion as user expects that the changes to IDP should already at least reach the configuration on disk. It also makes troubleshooting harder when dealing with attributes releases issues.

Steps To Reproduce

  1. Add a custom attribute to LDAP schema and register it in oxTrust
  2. Create a SAML TR of any kind and add the new attribute to it
  3. Run next command in the container: # grep -l -i -r -e 'YOUR_ATTR_NAME' /opt/shibboleth-idp/conf/

Expected behavior

At least next three files must contain the newly added attribute right after configuration was applied in oxTrust:

/opt/shibboleth-idp/conf/attribute-resolver.xml
/opt/shibboleth-idp/conf/attribute-filter.xml
/opt/shibboleth-idp/conf/attributes/gluu-attribute-rules.xml

Actual behavior

Very often you can see it in just two of the files - it's missing from gluu-attribute-rules.xml file. That's what happened in customer's setup where the issue was first encountered. The attribute won't be released in such case. While I was testing by adding and removing the attribute from TRs and the attribute itself from the server, I've seen various delays in IDP configuration updates. The attribute can be added to a TR, but it still won't appear in IDP's config after a few minutes. It can be removed from the server, but still will be listed in gluu-attribute-rules.xml file for a while, but won't disappear even if "identity" is restarted.

Ideally, we want these configuration changes to be pushed to IDP's config without need to restart anything.
@aliaksander-samuseu aliaksander-samuseu added this to the 4.5.1 milestone Mar 24, 2023
@aliaksander-samuseu
Copy link
Contributor Author

It seems that updating the /opt/shibboleth-idp/conf/attributes/gluu-attribute-rules.xml file may happen after the attribute registered in oxTrust, not after you add it to TR. But still sometimes happens with such long delay it's easier to restart oxTrust.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shekhar16 shekhar16

Labels
bug
Projects
None yet
Milestone
4.5.1
Development

No branches or pull requests
2 participants
@aliaksander-samuseu @shekhar16