SAML metadata will sometimes have a validUntil on the md:EntityDescriptor tag. If this expires, then no one can log in & it just becomes a mess.
AC
[ ] During loginSAML after parsing the metadata, when the expiration is coming up (e.g. < 6 months away) we should fetch the metadataURL and persist that new metadata to the DB. Fetching a new metadata on every login means an extra round trip, which will slow down logins. Never fetching metadata means it may expire. Doing it only when necessary seems like the sweet spot
SAML metadata will sometimes have a
validUntil
on themd:EntityDescriptor
tag. If this expires, then no one can log in & it just becomes a mess.AC