...
We often receive questions regarding why schools cannot login to a FIDUS service such as the DNP verification tests, or why the school IdP does not show up in the FIDUS discovery service (DS). A common error is that there are several systems that have to publish and synchronize the latest federation metadata to establish the interfederational trust which is required for a successful login attempt. In this article, we will explain and illustrate the concept. Approximate Maximum Update Time (AMUT) will be used as the term for an estimated maximum waiting time for a change in Skolfederation to be represented at relying parties' implementations in FIDUS and FIDUS member federations.
Resources
- More on FIDUS on Skolverket.se and the FIDUS GitHub
...
Approximate metadata update times
Metadata | Receiving service provider |
---|
Approximate maximum update time |
---|
(AMUT) | |
---|---|
IdP uploaded in Skolfederation | https://skolverket.eduid.se/dnp/sp/ |
1 h 30 min | ||
IdP uploaded in Skolfederation | FIDUS Discovery Service | 30 min |
IdP uploaded in Skolfederation | https://betyg.uhr.se/beda-inrapportering | 3 h 15 min |
Please note that the AMUT values provided are as of November 2025 and are estimates. While systems typically update faster than these maximum values, unforeseen factors not documented here may occasionally cause delays.
Below, find a detailed explanation of the metadata flow and how the maximum time approximates AMUT values are calculated.
Upstream IdP metadata flow
The following diagram describes the flow of metadata for IdP's uploaded to Skolfederation.
Step | Variation |
---|
Action | Approximate maximum update time (AMUT) | Metadata URL | Comment | ||
---|---|---|---|---|---|
A | Skolfederation member uploads their IdP metadata to either production or trial environment and IdP metadata added to each environments upstream feed. | 15 minutes | Upstream feeds: Production: Trial: | If the IdP is visible in the corresponding upstream feed after 15 minutes the metadata publish in Skolfederation is OK. Note that the metadata is published to AWS and presented using CloudFront CDN, which means that old metadata could be cached for a longer time than 15 minutes, increasing the AMUT. | |
B | 1 | FIDUS downloads IdP upstream feed and updates FIDUS IdP feed | AMUT A + 60 minutes | FIDUS IdP feed: | If the IdP is present in FIDUS IdP feed after AMUT 15 + 60 minutes, FIDUS has successfully retrieved and published the IdP metadata. If the IdP is not present, FIDUS may have problems updating its metadata. |
2 | FIDUS Discovery Service downloads IdP upstream feed and updates | AMUT A + 15 minutes | If the IdP is visible in FIDUS DS after AMUT 15 + 15 minutes, the FIDUS DS has successfully retrieved and updated. If the IdP is not present, the FIDUS DS may have problems updating its metadata or service. Important: The FIDUS DS has a significantly shorter AMUT value compared to Beda and DNP. This means that even if your IdP appears in the FIDUS DS after 30 minutes, you will still need to wait until the service provider is updated (see step C.2 or D below). | ||
C | 1 | FIDUS member federation downloads FIDUS IdP feed and publishes in member federation metadata |
AMUT A + AMUT B.1 + up to each federations metadata update settings | FIDUS member federation metadata feed if applicable (not documented here) | If the IdP is present in FIDUS member federation feed after AMUT 15 + 60 + member federation update time, the member federation has successfully retrieved and published the IdP metadata. If the IdP is not present, the FIDUS member federation may have problems updating its metadata from FIDUS IdP feed. |
2 | In some cases, such as Skolverket's DNP and other entities from Skolmyndighetsfederationen, the SP downloads IdP's directly from FIDUS IdP feed and updates |
AMUT A + AMUT B.1 + up to each service's metadata update settings | Not applicable | Not feasible to document as the update time is up to each service. Usually, at this point to test if the SP is updated, a login with the IdP to the SP is performed. | |||
D | FIDUS member federation service provider (SP 1) downloads its federation metadata and updates | AMUT A + AMUT B.1 + AMUT C.1 + Up to each service's metadata update settings | Not applicable | Not feasible to document as the update time is up to each service. Usually, at this point to test if the AMUT is complete, a login with the IdP to the SP is performed. | |
E | Other update procedures and variations in the application which |
may add additional update time | Varies by service, if applicable | Not applicable |