We are pleased to announce a series of significant improvements to the way CLARIN Service Provider (SP) operators submit and maintain their SAML metadata. These changes make it easier to update x509 certificates, correct metadata issues, and ensure that the information distributed to national identity federations remains accurate and compliant. The submission workflow is now faster, more transparent, and more intuitive.
These improvements are the result of a complete overhaul of the Continuous Integration (CI) system in the metadata repository. All CI operations have been migrated to GitHub Actions, enabling tighter integration with GitHub’s native features such as issues and pull requests (PRs). As a result, we can now automatically generate a full metadata assessment for each PR, focusing exclusively on the SPs modified in that PR and before any merge takes place.
This allows SP operators to identify and resolve issues proactively, without waiting for manual intervention from repository maintainers.
What happens when you submit a pull request?
Whenever an operator opens a PR against the metadata repository, the CI system now performs three automated checks on the modified files. The results are posted directly as a comment on the PR:
- XML schema validation
- Certificate checks
- Key size must be at least 3072 bits
- Certificate validity must extend at least 45 days into the future
(Note: for certificate rollovers we expect a validity period of at least 2 years)
- Automated Metadata Quality Assurance
Generated using the SAML Metadata QA Validator
This introduces certificate validation as a standard part of the workflow and removes the previous requirement to merge a PR before a QA assessment could be generated.
Security considerations
Because the security of this repository is critical, particular care was taken to reduce exposure to supply‑chain risks and to secure any repository credentials. All repository secrets and GitHub tokens have been removed from third‑party CI platforms, and only extensively vetted GitHub official Actions are used in the new workflows. This significantly reduces the attack surface associated with automated CI operations.
Automated certificate expiration monitoring
To complement the improved submission workflow, we have added an automated monitoring routine that checks certificate expiration dates across all SPs in the federation. When an x509 certificate is within 45 days of expiring, an automated email notification is sent to the address listed in the SP’s technical contact field. Subsequently, three additional reminders are sent until the certificate is renewed or reaches its expiration date.
This ensures that certificate renewals are handled in a timely manner and reduces the risk of service disruption.
For more detailed information about the new submission workflow please visit the CLARIN SPF metadata repository:
We welcome your feedback on the new system and are confident that these improvements will streamline metadata maintenance for all SP operators.