Invalid Metadata on different versions of IdP

Tom Scavo trscavo at
Thu Aug 30 09:53:09 EDT 2018

On Thu, Aug 30, 2018 at 6:51 AM Michael Dahlberg <olgamirth at> wrote:
> That fixed it.  I'm not sure why though.

That metadata should produce the same results on both versions of your
IdP. Does it?

> I always thought the "validUntil" option was more of a suggestion rather than an actual validity range.

That is a common misperception. The validUntil attribute in metadata
is strictly enforced (unless the deployer explicitly relaxes that

> The reason I came to this conclusion was because a number of other SP's metadata had "ValidUntil" values that would have resulted in in expired metadata.

I don't think so. Can you provide evidence of this?

> Also, the process log contains many statements like
> 06:42:21.742 - WARN [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:441] - [] - Metadata Resolver FilesystemMetadataResolver bomgarMD: Entire metadata document from '/usr/local/idp/metadata/bomgar.xml' was expired at time of loading, existing metadata retained
> 06:42:21.742 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:324] - [] - Metadata Resolver FilesystemMetadataResolver bomgarMD: Next refresh cycle for metadata provider '/usr/local/idp/metadata/bomgar.xml' will occur on '2018-08-30T10:47:21.742Z' ('2018-08-30T06:47:21.742-04:00' local time)

This is what I would expect although I'm not sure what metadata is
being retained.

> Am I incorrect?  Should I be monitoring the loaded metadata from my SPs for valid validity ranges?

Can you first post the metadata provider you're using to load this
metadata. Something's fishy.



More information about the users mailing list