...
| Info |
|---|
It is strongly recommended that all entities (InCommon SPs and IdPs ) refresh metadata daily at least. |
...
Once the certificate file is locally installed, you can use it to verify the signature on the metadata file. For example, you could use the XmlSecTool (or some similar 3rd-party tool) to verify the signature:
$ xmlsectool.sh --verifySignature --certificate incommon.pem --inFile InCommon-metadata.xml
You may want to schema validate the metadata as well:
$ xmlsectool.sh --validateSchema --schemaDirectory schema-files --inFile InCommon-metadata.xml
Any of We provide a variety of 3rd party tools could be used for this purposeset of (modified) schema files that permit offline schema validation.
Expiry Verification
Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with a metadata refresh. In particular, a metadata file should not be accepted if either of the following conditions are true:
...