Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

InCommon expects participants to refresh metadata daily to ensure that SAML endpoints have access to the most up-to-date keys and other registered information. Some software implementations (such as Shibboleth) handle metadata with ease, but regardless of your software, please read this entire page to understand the requirements and pitfalls associated with metadata consumption.

Info

It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily.

Participants are strongly encouraged to rely on SAML software that properly handles metadata; failure to do so can have profound effects on the successful use of the Federation. In addition to maintaining the security of your own deployment, proper metadata use is critical to ensure that other participants can depend on your system behaving correctly when they make changes.

In addition, if you don't refresh your metadata regularly, it is likely that a software implementation will fail at some point since the XML document carries an expiration date (validUntil) that causes the metadata to expire in three weeks. InCommon strongly recommends that you do not rely on the actual length of this validity interval in any way, and in fact, we reserve the right to shorten the validity interval with little or no notice.

Info

It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily.

Firewall Configuration

Depending on your environment, you may have to poke a hole in an outbound firewall to get metadata refesh to work. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.

...

A metadata reload process should check each of the above conditions before accepting the metadata; alternatively if your SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil attribute exists and is not unexpectedly far into the future.

Warning
titleBewareVerify the expiration date independently!

Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to do that verify the expiration date is to parse the XML.

Software Configuration

...