This page introduces some important policy considerations associated with InCommon metadata. Other pages discuss the availability of multiple metadata aggregates and provide guidance with respect to metadata client configuration, including client configuration and the configuration of outbound firewalls.
Metadata Refresh Policy
InCommon expects participants to refresh metadata daily to ensure that SAML endpoints have access to the most up-to-date keys and other registered information. Some software implementations (such as Shibboleth) handle metadata easily, but regardless of your software, please read this entire page to understand the requirements and pitfalls associated with metadata consumption.
...
In addition, if you don't refresh your metadata regularly, it is likely that a software implementation will fail at some point since the XML document carries an expiration date (validUntil
) that causes the metadata to expire in two weeks. InCommon strongly recommends that you do not rely on the actual length of this validity interval in any way, and in fact, we reserve the right to shorten the validity interval with little or no notice.
Metadata Refresh Process
The mechanics of metadata refresh:
- Choose the right metadata aggregate for your particular deployment
- Deploy and configure an automated metadata refresh processConfigure your metadata process:
- Configure your metadata client
- Configure Adjust your outbound firewall rules (if necessary)
- Verify the XML signature on downloaded metadata (see below)
- Validate the expiration date on downloaded metadata (see below)
Signature Verification
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.
...