- Choose the right metadata aggregate for your particular deployment
- Deploy and configure an automated metadata refresh process:
- Configure your metadata client
- Verify the XML signature on downloaded metadata (see below)
- Validate the expiration date on downloaded metadata (see below)
- Adjust your outbound firewall rules
Don't forget to adjust your outbound firewall rules for all metadata endpoint locations.
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.
Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to verify the expiration date is to parse the XML.
Depending on your environment, you may have to poke a hole in an outbound firewall to allow your metadata client to reach the metadata server. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.
wayf.incommonfederation.org resolves to one of two identical servers, either in Michigan (126.96.36.199) or Indiana (188.8.131.52). The actual server used at any given point in time is unspecified and left to the discretion of InCommon Operations. If one of the servers goes down or requires maintenance, the other can be brought up within minutes, with minimal disruption of services.
Therefore, please make sure both your SAML implementation and your metadata refresh processes are configured with hostname
wayf.incommonfederation.org (as opposed to an IP address). On the other hand, make sure your outbound firewall (if any) is configured with both IP addresses (184.108.40.206 and 220.127.116.11).