The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

RequiredValidUntilFilter

Owned by Rod Widdowson
Last updated: Aug 03, 2018 by trscavo@ncsa.illinois.edu
2 min read

The root <md:EntitiesDescriptor> element of a remotely obtained metadata file should be decorated with a validUntil XML attribute. Before the metadata is loaded, the expiration date is checked. If the validUntil attribute indicates the metadata is expired, the metadata is discarded.

The validity check described in the previous paragraph is always performed, regardless of the filters applied to the metadata. In addition to this basic validity check, the RequiredValidUntil filter is used to detect metadata that never expires or has too long a validity period, both of which undermine the usual trust model supported by Shibboleth. In particular, the RequiredValidUntil filter refuses to load the metadata if either of the following conditions is true:

  1. The root XML element does not contain a validUntil attribute.

  2. The value of the validUntil attribute is too far into the future as specified by the maxValidityInterval attribute.

Metadata expiry is important!

In practice, a SignatureValidation filter and a RequiredValidUntil filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.

Schema

The <MetadataFilter> element and the type RequiredValidUntil are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.

Attributes

NameTypeDefaultDescription

maxValidityInterval

ISO 8601 durationPT0S (zero)

Defines the window within which the metadata is valid

If a zero duration is specified, or the maxValidityInterval XML attribute is omitted, any value of validUntil will be accepted (which is probably not what you want to do).

Child Elements

None

Example

RequiredValidUntil filter with maximum validity of 14 days
<!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>