...
The importance of a secure, automated metadata refresh process can not be over-emphasized. All participants are strongly encouraged to configure their software to refresh and verify metadata at least daily. An intelligent optimal process will attempt to refresh metadata every hour but intelligently short-circuit that attempt if the metadata file has not changed on the server. This is done using a technique called HTTP Conditional GET.
Key Generation
A secure web server protects its resources with TLS. To obtain a trusted TLS certificate, an administrator issues a Certificate Signing Request (CSR) to a trusted CA. In doing so, a private TLS key is generated. This key must be generated securely and kept safe for the entirety of its lifetime.
A SAML IdP is a secure web server that issues SAML assertions to SPs upon request. Assertions are signed by the IdP for authenticity and integrity. The IdP administrator generates a private signing key for this purpose. Like the TLS key, the signing key must be generated securely and kept safe indefinitely. A compromised IdP signing key is the absolute worst thing that can happen in a federated context.
Develop a strategy for securing your private keys before you generate them. Avoid moving them around by generating the private keys on the IdP in the first place. Strictly control access to the IdP system. Keep the IdP software and the underlying operating system software patched and up to date.
Important Considerations for New IdPs
...