classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view


Tom Scavo
Last year we had a long conversation about
MetadataProvider/@expirationWarningThreshold. At the time, I didn't
understand it, and I had lots of questions, some of them very basic.
Thanks for bearing with me.

The good news is, I understand expirationWarningThreshold now, having
recently implemented something similar in bash. I would modify the
wiki documentation if it weren't for one small detail: I rather
strongly believe the config parameter should be called
expirationWarningInterval, not expirationWarningThreshold. In that
case, I would update the documentation as shown at the end of this

I know you dislike this kind of feedback but there you have it. To
compensate, I contributed a story about a metadata early warning
system for the Shibboleth IdP:


The early warning system leverages the @creationInstant attribute in
metadata. Briefly, the following software changes are recommended:

1. Migrate expirationWarningThreshold to expirationWarningInterval
2. Add config parameter freshnessInterval
3. Add config parameter expectedValidityInterval
4. Add metadata filter RequiredCreationInstant

The story includes lots of documentation and examples. Enjoy :-)

For an *early* warning system, I think the @creationInstant attribute
is more important than the @validUntil attribute. By the time the
metadata is about to expire, it is too late!

Happy New Year!


-----begin doc-----
Name: expirationWarningInterval
Type: ISO 8601 Duration
Default: P2D
Short Description: The right-hand endpoint of the Expiration Warning
Interval is the value of the @validUntil attribute in metadata. The
length of the interval is given by the value of the
expirationWarningInterval config parameter. A warning message is
logged if the current time exceeds the left-hand endpoint of the

Long Description:
The Expiration Warning Interval is determined by its right-hand
endpoint (@validUntil) and its length (expirationWarningInterval). The
latter is configurable.

For each attempted metadata refresh (whether or not fresh metadata is
obtained), an expiration warning message is logged if all of the
following are true:

1. The requireValidMetadata config parameter is set to true (which it
is by default)

2. The @validUntil attribute exists in the metadata

3. The current time exceeds the left-hand endpoint of the Expiration
Warning Interval

The default value of expirationWarningInterval is P2D. To disable the
warning feature, set the length to zero (PT0S).

If the @validUntil attribute does not exist in the metadata, the
Expiration Warning Interval can not be determined and no warning
message is logged. To ensure that the metadata carries a @validUntil
attribute, configure an instance of the RequiredValidUntil metadata
filter into the pipeline process.
-----end doc-----
To unsubscribe from this list send an email to [hidden email]