The Kentor.AuthServices SAML2 Service Provider has got one important improvement for simplified operations: automatic metadata refresh. Identity providers and federations configured by loading metadata are now automatically refreshed based on the cache duration settings in the received metadata. Especially for federation setups this significantly simplifies the operations. When new identity providers are added to the federation, those are automatically made available in AuthServices and any removed identity providers are pruned from the active list.
- Automatic refresh of metadata.
- StubIdp metadata contains
- Configuration option for
metadataUrlfor identity providers.
Automatic Refresh of Metadata
When AuthServices is configured to load metadata for an identity provider or a federation, it now periodically reloads the metadata. The reload interval is based on the
validUntil attributes of the downloaded metadata. Reloading is scheduled after half the remaining validity time. This way, if metadata download fails, a retry can be scheduled while the existing metadata is still valid. If the validity period expires before metadata can be refreshed the affected identity providers are disabled.
StubIdp metadata Contains
As part of the automatic refresh of metadata, the stub idp has been improved to include code>cacheDuration attributes in its metadata. Having either
validUntil is required by the SAML2 metadata specification, so we’ve actually not followed the spec before.
Configuration option for
For SAML2 entities (e.g. a service provider) it is recommended that the Url of the metadata is used as the Entity Id. This makes it simple to find out where to find metadata for the given entity. So far AuthServices has only had support for loading metadata from the Entity Id url. This has now been improved by adding a
metadataUrl setting for identity providers, where a specific location for metadata is provided.
returnUri Renamed to
returnUrl in Configuration.
The config parameter
returnUri has been renamed to
returnUrl in the configuration. It is a url, so it should be named that. All Urls are Uris (l = location, i = identifier), but all Urlis are not Urls, so having a name with Url makes more sense.
With this release done I unfortunately have to slow done on the active development of AuthServices. All features required for the current project where AuthServices will be used are now completed, which means that I have to focus on other projects. I will continue to monitor incoming pull requests, answer questions and occasionally do some coding. Any critical bugs will be fixed as part of the maintenance of the applications where we use AuthServices. For issues that are not affecting us or our paying customers it will be harder to find time for work though.
To be assured of support (and not relying on us doing this when we have time left over) Kentor are offering commercial support. We are also happy to provide development on commercial terms for any further features that anyone require.