Cliquez ici pour la version française
SAML metadata generation is a sensitive process because these metadata are used in an heterogeneous environment and the federation operator cannot fully test the behavior of SAML entities regarding SAML metadata. This observation and our 10 years of experience with running a federation led us to a workflow to increase the level of assurance of our SAML metadata. This workflow relies on the participating institutions' participation. Our goal is to reduce the risks of disruptions of the service while preventing metadata files corruption.
Metadata files of production federations (all except the Test federation) get published in different versions, corresponding to a maturation process from preview to intermediate and main, see the schema below.
This process help make the production metadata more reliable: the less critical services will use a frozen of the metadata (names intermediate); le more critical services will use experienced metadata (main version) that have been used during half a day in their intermediate form. The preview metadata version is of interest if update frequency matters.
RENATER previously published SAML metadata files hourly, with no maturation process for metadata.
Versions available for each federation:
| versions | preview | intermediate | main | |
|---|---|---|---|---|
| Fédération Education-Recherche | preview-sps-renater-metadata.xml preview-idps-renater-metadata.xml preview-all-renater-metadata.xml | intermediate-sps-renater-metadata.xml intermediate-idps-renater-metadata.xml intermediate-all-renater-metadata.xml | main-sps-renater-metadata.xml main-idps-renater-metadata.xml main-all-renater-metadata.xml | |
| Qualification federation | preview-sps-qualif-metadata.xml preview-idps-qualif-metadata.xml preview-all-qualif-metadata.xml | intermediate-sps-qualif-metadata.xml intermediate-idps-qualif-metadata.xml intermediate-all-qualif-metadata.xml | main-sps-qualif-metadata.xml main-idps-qualif-metadata.xml main-all-qualif-metadata.xml | |
| Local federations | URL not public | URL not public | URL not public | |
| eduGAIN interfederation | preview-sps-edugain-metadata.xml preview-idps-edugain-metadata.xml preview-all-edugain-metadata.xml | intermediate-sps-edugain-metadata.xml intermediate-idps-edugain-metadata.xml intermediate-all-edugain-metadata.xml | man-sps-edugain-metadata.xml main-idps-edugain-metadata.xml main-all-edugain-metadata.xml | |
| Test federation | preview-sps-renater-test-metadata.xml preview-idps-renater-test-metadata.xml preview-all-renater-test-metadata.xml | NONE | NONE |
Here is the naming schema <version>-<role>-<federation>-metadata.xml where :
The below array shows caracteristics of each metadata files version and our recommandations regarding their usage. However each SP/IdP administrator may choose which metadata version best fits his service constraints.
| versions | preview | intermediate | main |
|---|---|---|---|
| publication frequency | every 30 minutes | daily at 8AM and 2PM | quotidiennement (sauf le week-end) à 8h et 14h |
| caracteristics | for a quick reload of latest updates in the federation registry | recent data from the federation registry. This version aims at validating metadata that will become the main version | metadata being validated during half a day in the intermediate version |
| recommanded usage | suggested for pre-production services | suggested for non critical services | suggested for critical services |
Depending on which metadata file version you load, it will take more time before your SP/IdP takes other SAML entities updates into account. You should therefore consider this propagation delay while updating your SP/IdP informations via the federation registry, to find out when other SAML entities registered in the same federation might get your updated information.
As an example, after an update via the federation registry, new informations will get published:
You should also take into account the metadata reload frequency at each SP/IdP; RENATER recommends it to be hourly.
See this documentation (French only).
For eduGAIN metadata, you also need to consider the delay for metadata to be transmitted from one federation operator to another.
See the eduGAIN documentation (French only).
