MetadataProvider and update

Jan Vilhuber JVilhuber at
Thu May 11 02:26:22 EDT 2017

I'm wondering about how best to implement something: In the UI of my app, for each customer, I want to be able to support them adding their IDP (upload metadata, manual entry, whatever). I need this new (or perhaps removed if they disable the IDP) information to be available on the Shibboleth-SP proxy. I realize I can have timed refreshes of the MetadataProvider (using url and refreshTimeout).

But polling is, of course, notoriously bad for this kind of scenario, I think: It's going to be a relatively rare occurrence that someone adds their IDP, and once added, it probably won't change very often at all. But when added, users will want/need to test the setup, so the new IDP should be available to the SP very quickly.

I don't want to set the refreshTimeout to something like 1 minute to make sure the SP sees the new IDP in a reasonable amount of time, since the other 29 days of the month will just be useless polling.

Is there a better mechanism? Could the SP refresh automatically (perhaps subject to a min-refresh interval?) if an entityId is used it doesn't have metadata for? That way I could set the refreshTimer very high (or even infinite, in a perfect world...), and SP will update on demand (due to a 'cache miss' so to speak).

I saw a mention of 'Dynamic Metadataprovider', which tries to fetch the metadata based on the entityId URL, but that requires me to validate the remotely fetched metadata (my current scheme publishes a federated metadata file, so I can validate it with a single certificate), and also requires all IDP's to publish the metadata at that URL (I think.. haven't read all the details of the dynamic approach), which I expect isn't widely done (is it?).

Any other approaches I've missed that I can do via the shibboleth-SP (as opposed to custom schemes I implement outside of the SP)?


More information about the users mailing list