...
- If the metadata file does not have a
validUntil
attribute on the root element. - If the
validUntil
attribute on the root element is expired. - If the a
validUntil
attribute on a child element is expired.
A metadata reload process should check each of the above conditions before accepting the metadata.
Warning | ||
---|---|---|
| ||
Verifying the signature on a SAML metadata file does not verify the expiration date. The only way to do that is to parse the XML. |
Software Configuration
If you plan on using the Shibboleth software for the purposes of federation, you can in fact also use Shibboleth to download and verify the signed metadata without having to rely on any other tools. Regardless of your implementation, however, you can always set up a cron job to refresh your metadata, but in that case you will also need a tool to verify the XML signature at the time of refresh.
...