SP Metadata is incorrect

[mikewiacek]

The first two lines of the metadata generated by my service provider code is wrong:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2017-10-28T00:05:27.336Z" entityID="https://vtsaml-dev.googleplex.com/saml/shib/meta">
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="0001-01-01T00:00:00Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">

If you notice the validUntil on SPSSODescriptor is the zero time.Time value. Most IDPs seem to ignore it, but testshib.org does not. It won't encrypt responses with my public key, because the metadata says the key has expired.

[SelfDrivingCarp]

/sub

[wz2b]

There is also a specification recommendation violation here:

When used as the root element of a metadata instance, this element MUST contain either a validUntil or cacheDuration attribute. It is RECOMMENDED that only the root element of a metadata instance contain either attribute.

See the [specification[(https://groups.oasis-open.org/higherlogic/ws/public/download/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf) section 2.3.1. There are two parts to this issue:

1. The spec says you MUST have either validUntil or cacheDuration but the schema specification does not agree that it's required to have one or the other.
2. The validUntil is optional but because this library is configured using a duration, and zero means "default", there's no way to specify that you want the duration omitted.

My IT department specifically asked that my metadata not include either. The reason has to do with the security implications of having "dynamic" metadata. They ignore your metadata after the initial configuration, so changes require admin intervention (which includes key rotation). I'm not making any statements on whether or not I think this is a good decision.