Skip to content

Fix: Remove validUntil attribute from SAML SP Metadata #5914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jdede wants to merge 1 commit into
base: development
Choose a base branch
from
Open

Fix: Remove validUntil attribute from SAML SP Metadata #5914

jdede wants to merge 1 commit into from
+1 −1

Conversation

@jdede
Copy link

@jdede jdede commented Nov 23, 2025

This PR disables the validUntil attribute in the generated SAML Service Provider (SP) metadata.

Why this is needed

Currently, the underlying php-saml library hardcodes the metadata validity (TIME_VALID) to 2 days and caching (TIME_CACHED) to 1 week (Source: Metadata.php).

In many real-world scenarios, specifically with Identity Providers like Shibboleth, these default windows are too short. This causes the IdP to deny connections or require manual metadata refreshes once the hardcoded time passes.

The getSPMetadata function in Settings.php allows for an $ignoreValidUntil parameter.

  • I have updated the getSPMetadata call to set $ignoreValidUntil to true.
  • This removes the validUntil timestamp from the XML generated at <URL>/saml2/metadata, preventing arbitrary expiration issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdede