It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. An optimal configuration would attempt to refresh metadata every hour, (assuming your client supports HTTP Conditional GET).
Participants are strongly encouraged to use SAML software that properly handles metadata; failure to do so can have profound effects on the successful use of the Federation. In addition to maintaining the security of your own deployment, proper metadata use is critical to ensure that other participants can depend on your system behaving correctly when they make changes.
- Choose the right metadata aggregate for your particular deployment
- Deploy and configure an automated metadata refresh process:
- Configure Install and configure your metadata client software
- Verify the XML signature on downloaded metadata
- Validate the expiration date on downloaded metadata
- Adjust your outbound firewall rules (if necessary)
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.