[External] ShibV4-LdapCognito Issue

Cantor, Scott cantor.2 at osu.edu
Fri Apr 24 19:09:35 EDT 2020

On 4/24/20, 6:07 PM, "users on behalf of leosimon" <users-bounces at shibboleth.net on behalf of leosimon at digital-nirvana.com> wrote:

> So the idp metadata xml is not changing even after modifying settings to
> shibboleth and restart service but I am not sure why it was generated with
> Validuntil restriction.

Because we want people to think about what they're doing with metadata. It is insecure to use metadata with no expiration because expiration is the only way to limit the validity of the keys in the metadata when inline trust models are used.

> Also If we want to make the idp metadata to refresh in regular intervals, not sure what to do.

Cognito, unusually for commercial code, automatically refreshes metadata from a source URL. It doesn't do it securely (there's no signature checking done and various other problems), and it does it every minute the last time I checked, which is ridiculous, but as commercial SAML goes that's about as good as it gets.

-- Scott

More information about the users mailing list