Metadata expiry and computing a new expiration time.

Peter Schober peter.schober at univie.ac.at
Fri Sep 18 05:27:05 EDT 2015


* Simon Fraser <srf at sanger.ac.uk> [2015-09-18 11:12]:
> It's not updating the expiry time in the local copy of the file when it
> checks for a new version and there isn't one, I don't know if that's
> necessary or not

What should it update when there's no new metadata?

> what happens when there isn't a new version within 14 days?

The locally cached metadata will expire and all entities in there will
become unkown to the IDP, i.e., it will lose everything in there.

That protects you from potentially "revoked" entities (you don't hold
on to entities that may have been removed meanwhile), at the price of
the federation operator having to constantly re-sign and re-publish
metadata.
https://wiki.shibboleth.net/confluence/display/CONCEPT/TrustManagement
-peter


More information about the users mailing list