The Shibboleth software will not only consume metadata, it will also fetch and verify a fresh metadata file on a regular basis. Later versions of Shibboleth are highly optimized with respect to metadata.
Configure the Shibboleth IdP
To configure Shibboleth IdP 2.2 (and later) to download and verify signed Federation metadata every hour, do the following:
<!-- inside the ChainingMetadataProvider --> <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" /> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> ... <!- underneath the Security Configuration section --> <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate> </security:Credential> </security:TrustEngine>
Configure the Shibboleth SP
To configure Shibboleth SP 2.4 (and later) to download and verify signed Federation metadata every hour, do the following:
<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600"> <!-- Verify the signing key --> <MetadataFilter type="Signature" certificate="incommon.pem"/> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> </MetadataProvider>