Last year we had a long conversation about
MetadataProvider/@expirationWarningThreshold. At the time, I didn't
understand it, and I had lots of questions, some of them very basic.
Thanks for bearing with me.
The good news is, I understand expirationWarningThreshold now, having
recently implemented something similar in bash. I would modify the
wiki documentation if it weren't for one small detail: I rather
strongly believe the config parameter should be called
expirationWarningInterval, not expirationWarningThreshold. In that
case, I would update the documentation as shown at the end of this
I know you dislike this kind of feedback but there you have it. To
compensate, I contributed a story about a metadata early warning
system for the Shibboleth IdP:
The story includes lots of documentation and examples. Enjoy :-)
For an *early* warning system, I think the @creationInstant attribute
is more important than the @validUntil attribute. By the time the
metadata is about to expire, it is too late!
Happy New Year!
Type: ISO 8601 Duration
Short Description: The right-hand endpoint of the Expiration Warning
Interval is the value of the @validUntil attribute in metadata. The
length of the interval is given by the value of the
expirationWarningInterval config parameter. A warning message is
logged if the current time exceeds the left-hand endpoint of the
The Expiration Warning Interval is determined by its right-hand
endpoint (@validUntil) and its length (expirationWarningInterval). The
latter is configurable.
For each attempted metadata refresh (whether or not fresh metadata is
obtained), an expiration warning message is logged if all of the
following are true:
1. The requireValidMetadata config parameter is set to true (which it
is by default)
2. The @validUntil attribute exists in the metadata
3. The current time exceeds the left-hand endpoint of the Expiration
The default value of expirationWarningInterval is P2D. To disable the
warning feature, set the length to zero (PT0S).
If the @validUntil attribute does not exist in the metadata, the
Expiration Warning Interval can not be determined and no warning
message is logged. To ensure that the metadata carries a @validUntil
attribute, configure an instance of the RequiredValidUntil metadata
filter into the pipeline process.
To unsubscribe from this list send an email to [hidden email]