SAML: sp_config doesn't refresh IDP metadata

[localguru]

Description

If SAML is configured with remote metadata url, the IDP's metadata is only fetched at startup of synapse. If the IPD changes its certificate SAML login is broken on SP (synapse).

Steps to reproduce

• working SAML config eg.

  metadata:
    remote:
      - url: https://shibboleth.example.org/idp/shibboleth

• change IDP certificate
• SAML login for Synapse is broken with the following error:

  
  There was an error during authentication:
  Unable to parse SAML2 response: Failed to verify signature.

If you are seeing this page after clicking a link sent to you via email, make sure you only click the confirmation link once, and that you open the validation link in the same client you're logging in from.

Try logging in again from your Matrix client and if the problem persists please contact the server's administrator.

Error: invalid_response

I am not sure whether to classify this as a bug or a feature request. But it should be possible for the SP to query the metadata of the IPD at regular intervals and renew it if necessary.

### Version information

Synapse 1.25, Ubuntu 18.04 LTS, debian packages from matrix.org

[clokep]

Would using mdq instead of remote work? (From the pysaml docs: https://pysaml2.readthedocs.io/en/latest/howto/config.html#metadata) I'm not sure what the difference is unfortunately.

[richvdh]

closing this pending the requested info.