parabol
parabol copied to clipboard
fetch SAML metadata from URL if expiring
SAML metadata will sometimes have a validUntil
on the md:EntityDescriptor
tag. If this expires, then no one can log in & it just becomes a mess.
AC
- [ ] During loginSAML after parsing the metadata, when the expiration is coming up (e.g. < 6 months away) we should fetch the metadataURL and persist that new metadata to the DB. Fetching a new metadata on every login means an extra round trip, which will slow down logins. Never fetching metadata means it may expire. Doing it only when necessary seems like the sweet spot