问题
I've implemented a spring saml metadata provider that reads from a database and serves up both my service providers and identity providers. I'm also leveraging aliases to act as tenant identifiers.
My problem is if I go into the database and modify the metadata for a particular identity provider to be different, it doesn't seem to have any effect until I restart the spring saml extension. This is independent of whether I wait for the MetadataManager reload thread to kick off.
What's being cached here? Can I prevent this behavior?
It looks like something is being cached in the SAML message validation code. If I start up the process with invalid metadata, then correct the metadata, I will no matter what get Authentication Failed: Incoming SAML message is invalid.
Any help would be appreciated.
Edit: I believe I found the location where this is happening: In MetadataCredentialResolver.java, the credentials are cached via a call to cacheCredentials after it retrieves it from the metadata provider.
回答1:
I was able to solve this problem by overriding MetadataCredentialResolver and making cacheCredentials a no-op.
来源:https://stackoverflow.com/questions/38081242/how-can-i-force-spring-saml-to-reread-my-idp-metadata