The Shibboleth software will not only consume metadata, it will also fetch and verify a fresh metadata file on a regular basis. Later versions of Shibboleth are highly optimized with respect to metadata.
The configuration examples below apply to the specific versions of Shibboleth noted.
Configure the Shibboleth IdP
To configure Shibboleth IdP 2.2 (and later) to download and verify signed Federation metadata every 8 hours, do the following:
IdP 2.2 and above
<!-- inside the ChainingMetadataProvider -->
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
maxRefreshDelay="PT8H"
metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter">
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
...
<!- underneath the Security Configuration section -->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
Shibboleth IdP 2.2 (and later) supports both HTTP conditional GET and HTTP compression (gzip and deflate).
The following example is incomplete since it is not known how to explicitly specify a refresh interval. If you have successfully configured v2.1.5 (or earlier) of the Shibboleth IdP to fetch and verify metadata on a regular basis, please report your configuration to the participants@incommon.org mailing list.
To configure earlier versions of the Shibboleth IdP to download and verify signed Federation metadata, do the following:
IdP 2.1.5 and below
<!-- inside the ChainingMetadataProvider -->
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter">
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
...
<!- underneath the Security Configuration section -->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
Configure the Shibboleth SP
To configure a Shibboleth SP to download and verify signed Federation metadata every 8 hours, do the following:
SP 2.4 and above
<MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="28800">
<!-- Verify the signing key -->
<SignatureMetadataFilter certificate="incommon.pem"/>
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
</MetadataProvider>
Shibboleth SP 2.4 (and later) supports both HTTP conditional GET and HTTP compression (but the supported compression algorithms are unknown).
SP 2.3.1 and below
<MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" reloadInterval="28800">
<!-- Verify the signing key -->
<SignatureMetadataFilter certificate="incommon.pem"/>
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
</MetadataProvider>