The validUntil attribute in SP metadata: should we require it?

Mak, Steve makst at
Fri Sep 13 09:50:02 EDT 2019

I almost always delete the validUntil attribute from the sp metadata that I can edit.

My reasoning is this: 
For SPs that want to use a short-lived validUntil want to pressure me into doing a HTTP metadata config or they don't realize it's in there.  We don't accept HTTP metadata, we only do localDynamic or InCommon.  If a short-lived value slips through, then they call us to ask as to why the IdP is rejecting their AuthnRequests a week later.

For SPs that use long-lived validUntils, such as a ten year period, I sometimes leave them in there, but I tend not to because I figure ten years from now when this stops working, no one will know who to point the finger at or might not realize how to fix it.  These people are setting a ten year bomb to explode for no good reason.

On 9/13/19, 9:43 AM, "users on behalf of shibboleth655 at" <users-bounces at on behalf of shibboleth655 at> wrote:

We run a local federation for on-campus SPs. These SPs are both 
locally-run applications as well as third-party cloud applications. Some 
of the submitted SP metadata has the validUntil attribute, most does not.

Many (most?) of our SPs would rather omit it entirely as it is just one 
more thing that can get in the way of their application working.

When an SP operator asks why they should include the validUntil 
attribute I say that it if they don't have their own reasons for using 
it, it _does_ force life-cycle management.

I would like to hear what other IdP operators do for validUntil: do they 
require it? encourage it? reasons?

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list