Versions Compared

Old Version 5

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 6

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents

Overview

The root <md:EntitiesDescriptor> element of a remotely obtained metadata file should be decorated with a validUntil XML attribute. Before the metadata is loaded, the expiration date is checked. If the validUntil attribute indicates the metadata is expired, the metadata is discarded.

The validity check described in the previous paragraph is always performed, regardless of the filters applied to the metadata. In addition to this basic validity check, the RequiredValidUntil filter is used to detect metadata that never expires or has too long a validity period, both of which undermine the usual trust model supported by Shibboleth, and the only one actually standardized in SAML.

...

Note
titleMetadata expiry is important!

In practice, a SignatureValidation filter and a RequiredValidUntil filter are often used together to securely obtain remote metadata via HTTP. See theĀ FileBackedHTTPMetadataProvider andĀ DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.

Reference

...

...

XML Attributes

NameTypeDefaultDescription

maxValidityInterval

Duration

PT14D

Note

The default value has changed in V4.


Defines the window within which the metadata is valid.

A value of zero is a no-op and should be avoided

...

.

Example

Code Block
languagexml
titleRequiredValidUntil filter with maximum validity of 14 days
<!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>

...