Skip to content

✨ Feature / Runtime metadata lifecycle — refresh, expiry monitoring, trust staging #45

Description

@docJerem

Context

IdP metadata (and especially signing certificates) rotate over time. Today ex_saml loads metadata statically; there is no runtime mechanism to refresh it, to warn before a trusted certificate expires, or to control how a newly observed signing certificate becomes trusted.

Goal

Optional, opt-in runtime metadata lifecycle management: scheduled refresh, certificate-expiry monitoring, and controlled trust promotion.

Proposed scope

  • Scheduled refresh of remote IdP metadata with backoff on failure and a failure classifier (transient vs permanent), emitting telemetry on each outcome.
  • Certificate expiry monitoring — emit a warning/telemetry event when a trusted signing/encryption cert is within a configurable window of expiry.
  • Drift detection — detect when refreshed metadata differs from the loaded copy (new endpoints, new certs).
  • Trust-anchor staging — a newly observed signing certificate is staged and surfaced for review rather than silently promoted to trusted, closing a silent key-rotation trust gap.

Why

  • Prevents the classic "SSO broke overnight because the IdP rotated its cert" outage.
  • Staging makes certificate rotation a reviewed event instead of automatic trust extension.

Notes

  • Entirely opt-in; the default static-load path is unchanged.
  • Depends on the telemetry layer for surfacing events.
  • Heavier than the other items — likely a multi-PR effort; filing to track the direction.

Relates to #17.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions