Page tree
Skip to end of metadata
Go to start of metadata

The metadata location and key can be updated without much effort on most platforms. Extensive SAML tutorials are found on this page. They have been updated with the new information. On this page we will highlight the most essential changes you need to make. Refer to the SAML tutorials for an in depth description how to configure your service.


There are several ways to configure SimpleSAMLphp metadata. They all boil down to changing the contents of saml20-idp-remote.php in the metadata directory.

The configuration of SURFconext (as an IdP to this SP) needs to be updated in metadata/saml20-idp-remote.php. Note that the entityID of SURFconext as an IdP remains the same; the SingleSignOnService-location will change and the certificate file contains the new key:

$metadata[''] = array (
  'SingleSignOnService' => '',
  'certificate'         => '',

If you generated the contents of this file with the "XML to SimpleSAML metadata converter" that can be found in SimpleSAMLphp's web interface, you can supply the contents of the new URL there and the output can be put in saml20-idp-remote.php. Note that you remove any added 'expires" settings that the converter adds.

If you use the metarefresh module, simply update its configuration to fetch metadata from the new URL.

For more details, read My First SP - PHP.
Also useful, while you're at it: Securing your simpleSAMLphp setup.


In /etc/shibboleth/shibboleth2.xml, find the MetadataProvider section.

Change it to look like this:

<MetadataProvider type="XML"
    <MetadataFilter type="Signature" certificate="SURFconext-metadata-signer.pem"/>

Where surfconext-metadata.pem contains the metadata signing certificate you can find at

Remove any "type="RequireValidUntil" MetadataFilters (or if you really want them, ensure they're set to at least two weeks).

Reload Shibboleth. You can verify from the logs that it downloads and loads the new metadata.

For more details, read My First SP - Shibboleth.

  • No labels