Security (and everything related) has been on the increase over the last few years. In addition, many certificate providers only allow certificate renewals for 1 year vs. what used to be common/default of 3 years.
With the shortened life of certificates, we are required to update a service providers metadata more often in order to obtain the new certificate.
A manual update of the certificate not only causes additional administrative overhead, but most often, causes an outage of the application. Why? In many instances, the service provider is updating their certificate across their multiple server regions over an extended period of time (1-3 hrs). We (the IdP) can only refresh our server regions metadata to determine when the new certificate is available. Depending on the criticality of the application, we would waste those few hours consistently checking for the new certificate in order to update our IdP as quickly as possible so there is little to no downtime.
What I'd like to see?
I'd like to see an option in NAM that automatically refreshers a service providers metadata. This would not only free up the administrators time in not having to constantly check when the service providers certificate is updated, but would also minimize any downtime to the application.
Obviously, the only way I can see this being done is if you have the SP's metadata URL. This way, NAM can "hit" the URL and get the updated changes (e.g. the new certificate). In order to minimize network traffic and having NAM consistently hitting SP metadata URLs, it would be nice to have an enable/disable option for automatic metadata updates. By default, the option would be disable, but when we get notified that an SP's certificate will be changing on a given date, we can enable the auto updates for a limited time for that given SP.