The root <md:EntitiesDescriptor> element of a remotely obtained metadata file should be decorated with a validUntil XML attribute. Before the metadata is loaded, the expiration date is checked. If the validUntil attribute indicates the metadata is expired, the metadata is discarded.
The validity check described in the previous paragraph is always performed, regardless of the filters applied to the metadata. In addition to this basic validity check, the RequiredValidUntil filter is used to detect metadata that never expires or has too long a validity period, both of which undermine the usual trust model supported by Shibboleth. In particular, the RequiredValidUntil filter refuses to load the metadata if either of the following conditions is true:
...
| Note | ||
|---|---|---|
| ||
Under normal circumstances, it is very important to configure this filter because expiring metadata is how trust revocation is enforced. See the TrustManagement topic for details. |
Namespace and Schema
The RequiredValidUntil type is defined in <MetadataFilter> element and the type RequiredValidUntil are defined by the urn:mace:shibboleth:2.0:metadata namespace schema, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
Reference
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| ISO 8601 duration | PT0S (zero) | Defines the window within which the metadata is valid |
...