A RelyingPartyRegistration that was initialized by using a metadata url should periodically poll the metadata url to retrieve any new metadata updates that have been published by the IDP.
Currently, the builder "fromMetadataLocation" makes a single callout to retrieve the metadata information and loads the relying party. There are no subsequent calls to periodically refresh.
Why is this needed? Metadata is usually only valid for a set duration of time. Metadata can be marked with a "validUntil" attribute where the metadata will expire. With long lived applications that load the relying party once at app startup, it is possible for the metadata to become stale for the IDPs as they publish new metadata but the SAML library does not refresh that data. This will obviously lead to the service provider rejecting valid assertions as a certificate mismatch will occur.
There are examples of this mechanism in place in the previous Spring SAML extension library.
Comment From: jzheaux
Thanks for reaching out @vince-recupito. Please take a look at https://github.com/spring-projects/spring-security/issues/9134 as this ticket appears to duplicate that one.
Comment From: vince-recupito
Thanks @jzheaux. Sounds like the advice on that other thread is to create a custom implementation to achieve this. I'll give that a shot.