...
| Warning | ||
|---|---|---|
| ||
Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to verify the expiration date is to parse the XML. |
Configuration
Firewall
...
Configuration
Depending on your environment, you may have to poke a hole in an outbound firewall to get allow your metadata refesh to workclient to reach the metadata server. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.
...
Therefore, please make sure both your SAML implementation and your metadata refresh processes are configured with hostname wayf.incommonfederation.org (as opposed to an IP address). On the other hand, make sure your outbound firewall (if any) is configured with both IP addresses (207.75.165.125 and 140.182.44.53).
Software Configuration
If you plan on using the Shibboleth software for federation purposes, you can in fact also use Shibboleth to download and verify signed metadata without having to rely on any other tools. Instructions how to configure Shibboleth for metadata consumption are provided elsewhere in this wiki.
Other SAML implementations besides Shibboleth have built-in metadata support. For example, we know that simpleSAMLphp will consume InCommon Federation metadata. If you know of other implementations that support SAML metadata, please let us know so we can document them here.
Regardless of your software implementation, however, you can always set up a cron job to refresh metadata, but in that case you will need additional tools to verify the XML signature at the time of refresh and check the validUntil attribute as noted above. Participants are encouraged to share such tools and scripts for the benefit of the community. For instance, third-party tools that make InCommon metadata usable with Microsoft AD FS are documented elsewhere in this wiki.