Context
IdP metadata (and especially signing certificates) rotate over time. Today ex_saml loads metadata statically; there is no runtime mechanism to refresh it, to warn before a trusted certificate expires, or to control how a newly observed signing certificate becomes trusted.
Goal
Optional, opt-in runtime metadata lifecycle management: scheduled refresh, certificate-expiry monitoring, and controlled trust promotion.
Proposed scope
- Scheduled refresh of remote IdP metadata with backoff on failure and a failure classifier (transient vs permanent), emitting telemetry on each outcome.
- Certificate expiry monitoring — emit a warning/telemetry event when a trusted signing/encryption cert is within a configurable window of expiry.
- Drift detection — detect when refreshed metadata differs from the loaded copy (new endpoints, new certs).
- Trust-anchor staging — a newly observed signing certificate is staged and surfaced for review rather than silently promoted to trusted, closing a silent key-rotation trust gap.
Why
- Prevents the classic "SSO broke overnight because the IdP rotated its cert" outage.
- Staging makes certificate rotation a reviewed event instead of automatic trust extension.
Notes
- Entirely opt-in; the default static-load path is unchanged.
- Depends on the telemetry layer for surfacing events.
- Heavier than the other items — likely a multi-PR effort; filing to track the direction.
Relates to #17.
Context
IdP metadata (and especially signing certificates) rotate over time. Today
ex_samlloads metadata statically; there is no runtime mechanism to refresh it, to warn before a trusted certificate expires, or to control how a newly observed signing certificate becomes trusted.Goal
Optional, opt-in runtime metadata lifecycle management: scheduled refresh, certificate-expiry monitoring, and controlled trust promotion.
Proposed scope
Why
Notes
Relates to #17.