The validUntil attribute in SP metadata: should we require it?
makst at upenn.edu
Fri Sep 13 09:50:02 EDT 2019
I almost always delete the validUntil attribute from the sp metadata that I can edit.
My reasoning is this:
For SPs that want to use a short-lived validUntil want to pressure me into doing a HTTP metadata config or they don't realize it's in there. We don't accept HTTP metadata, we only do localDynamic or InCommon. If a short-lived value slips through, then they call us to ask as to why the IdP is rejecting their AuthnRequests a week later.
For SPs that use long-lived validUntils, such as a ten year period, I sometimes leave them in there, but I tend not to because I figure ten years from now when this stops working, no one will know who to point the finger at or might not realize how to fix it. These people are setting a ten year bomb to explode for no good reason.
On 9/13/19, 9:43 AM, "users on behalf of shibboleth655 at lewenberg.com" <users-bounces at shibboleth.net on behalf of shibboleth655 at lewenberg.com> wrote:
We run a local federation for on-campus SPs. These SPs are both
locally-run applications as well as third-party cloud applications. Some
of the submitted SP metadata has the validUntil attribute, most does not.
Many (most?) of our SPs would rather omit it entirely as it is just one
more thing that can get in the way of their application working.
When an SP operator asks why they should include the validUntil
attribute I say that it if they don't have their own reasons for using
it, it _does_ force life-cycle management.
I would like to hear what other IdP operators do for validUntil: do they
require it? encourage it? reasons?
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users