[PR #5914] Fix: Remove validUntil attribute from SAML SP Metadata #6595

New Issue

OVERLORD · 2026-02-05T10:36:21+03:00

OVERLORD commented

2026-02-05 10:36:21 +03:00

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/5914
Author: @jdede
Created: 11/24/2025
Status: 🔄 Open

Base: development ← Head: fix-ignoreValidUntil

📝 Commits (1)

5967638 set ignoreValidUntil to true

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 app/Access/Saml2Service.php (+1 -1)

📄 Description

This PR disables the validUntil attribute in the generated SAML Service Provider (SP) metadata.

Why this is needed

Currently, the underlying php-saml library hardcodes the metadata validity (TIME_VALID) to 2 days and caching (TIME_CACHED) to 1 week (Source: Metadata.php).

In many real-world scenarios, specifically with Identity Providers like Shibboleth, these default windows are too short. This causes the IdP to deny connections or require manual metadata refreshes once the hardcoded time passes.

The getSPMetadata function in Settings.php allows for an $ignoreValidUntil parameter.

I have updated the getSPMetadata call to set $ignoreValidUntil to true.
This removes the validUntil timestamp from the XML generated at <URL>/saml2/metadata, preventing arbitrary expiration issues.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/5914 **Author:** [@jdede](https://github.com/jdede) **Created:** 11/24/2025 **Status:** 🔄 Open **Base:** `development` ← **Head:** `fix-ignoreValidUntil` --- ### 📝 Commits (1) - [`5967638`](https://github.com/BookStackApp/BookStack/commit/596763807e91c92f1edb0466fc981e3edc2921ce) set ignoreValidUntil to true ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `app/Access/Saml2Service.php` (+1 -1) </details> ### 📄 Description This PR disables the `validUntil` attribute in the generated SAML Service Provider (SP) metadata. ## Why this is needed Currently, the underlying `php-saml` library hardcodes the metadata validity (`TIME_VALID`) to **2 days** and caching (`TIME_CACHED`) to **1 week** (Source: [Metadata.php](https://github.com/SAML-Toolkits/php-saml/tree/master/lib/Saml2/Metadata.php)). In many real-world scenarios, specifically with Identity Providers like Shibboleth, these default windows are too short. This causes the IdP to deny connections or require manual metadata refreshes once the hardcoded time passes. The `getSPMetadata` function in [Settings.php](https://github.com/SAML-Toolkits/php-saml/blob/master/lib/Saml2/Settings.php) allows for an `$ignoreValidUntil` parameter. * I have updated the `getSPMetadata` call to set `$ignoreValidUntil` to `true`. * This removes the `validUntil` timestamp from the XML generated at `<URL>/saml2/metadata`, preventing arbitrary expiration issues. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD added the pull-request label 2026-02-05 10:36:21 +03:00

Sign in to join this conversation.

Branches Tags

development

l10n_development

release

v26-03

ci_fixing

codeberg-actions

lexical_may_2026

MilnerMart/development

sort_rule_text

GamerClassN7/impersonations-for-admin

Zhey-on/feature/csp-image-css-controls-6033

tortillas5/development

clauvaldez/mfaReset

llm_only

vectors

McTom234/oidc-key-algorithms

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#6595