The metadata location and key can be updated without much effort on most platforms. Extensive SAML tutorials are found on this page. They have been updated with the new information. On this page we will highlight the most essential changes you need to make. Refer to the SAML tutorials for an in depth description how to configure your service.
There are several ways to configure SimpleSAMLphp metadata. They all boil down to changing the contents of saml20-idp-remote.php in the metadata directory.
The configuration of SURFconext (as an IdP to this SP) needs to be updated in metadata/saml20-idp-remote.php. Note that the entityID of SURFconext as an IdP remains the same; the SingleSignOnService-location will change and the certificate file contains the new key:
If you generated the contents of this file with the "XML to SimpleSAML metadata converter" that can be found in SimpleSAMLphp's web interface, you can supply the contents of the new URL there and the output can be put in saml20-idp-remote.php. Note that you remove any added 'expires" settings that the converter adds.
If you use the metarefresh module, simply update its configuration to fetch metadata from the new URL.
In /etc/shibboleth/shibboleth2.xml, find the
Change it to look like this:
surfconext-metadata.pem contains the metadata signing certificate you can find at https://metadata.surfconext.nl/.
Remove any "type="RequireValidUntil" MetadataFilters (or if you really want them, ensure they're set to at least two weeks).
Reload Shibboleth. You can verify from the logs that it downloads and loads the new metadata.
For more details, read My First SP - Shibboleth.