> Does the IdP do any validity checking of certificates or does it simply ignore the > expiry data? No. What we do is exactly what's defined in the standard. https://wiki.oasis-open.org/security/SAML2MetadataIOP Unless you only care about Shibboleth IdPs, that's not going to matter much. -- Scott