Kentor.AuthServices 0.9.0 SAML2 for ASP.NET Released

The Kentor.AuthServices SAML2 Service Provider has got one important improvement for simplified operations: automatic metadata refresh. Identity providers and federations configured by loading metadata are now automatically refreshed based on the cache duration settings in the received metadata. Especially for federation setups this significantly simplifies the operations. When new identity providers are added to the federation, those are automatically made available in AuthServices and any removed identity providers are pruned from the active list.

The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.


  • Automatic refresh of metadata.
  • StubIdp metadata contains cacheDuration
  • Configuration option for metadataUrl for identity providers.
  • returnUri renamed to returnUrl in configuration.

Automatic Refresh of Metadata

When AuthServices is configured to load metadata for an identity provider or a federation, it now periodically reloads the metadata. The reload interval is based on the cacheDuration or validUntil attributes of the downloaded metadata. Reloading is scheduled after half the remaining validity time. This way, if metadata download fails, a retry can be scheduled while the existing metadata is still valid. If the validity period expires before metadata can be refreshed the affected identity providers are disabled.

StubIdp metadata Contains cacheDuration

As part of the automatic refresh of metadata, the stub idp has been improved to include code>cacheDuration attributes in its metadata. Having either cacheDuration or validUntil is required by the SAML2 metadata specification, so we’ve actually not followed the spec before.

Configuration option for metadataUrl

For SAML2 entities (e.g. a service provider) it is recommended that the Url of the metadata is used as the Entity Id. This makes it simple to find out where to find metadata for the given entity. So far AuthServices has only had support for loading metadata from the Entity Id url. This has now been improved by adding a metadataUrl setting for identity providers, where a specific location for metadata is provided.

returnUri Renamed to returnUrl in Configuration.

The config parameter returnUri has been renamed to returnUrl in the configuration. It is a url, so it should be named that. All Urls are Uris (l = location, i = identifier), but all Urlis are not Urls, so having a name with Url makes more sense.


With this release done I unfortunately have to slow done on the active development of AuthServices. All features required for the current project where AuthServices will be used are now completed, which means that I have to focus on other projects. I will continue to monitor incoming pull requests, answer questions and occasionally do some coding. Any critical bugs will be fixed as part of the maintenance of the applications where we use AuthServices. For issues that are not affecting us or our paying customers it will be harder to find time for work though.

To be assured of support (and not relying on us doing this when we have time left over) Kentor are offering commercial support. We are also happy to provide development on commercial terms for any further features that anyone require.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.