Updating/refreshing SAMLConfiguration

What’s the proper way to refresh the SAMLConfiguration when acting as the SP? When the ACS endpoint is hit, there isn’t a way to know ahead of time which “configuration” to use. So, that mean that the SAMLConfiguration needs to be already configured with all possible partner IdP configs, right? Whereas, when acting as the IdP, it’s typical to know the tenant ahead of time and refreshing only that particular tenant’s config is relatively easier. Hopefully I make sense, if not, I can try to clarify the scenario further.

In many scenarios, SAML configuration isn’t dynamic. Usually configuration information has to be exchanged between yourself and the partner as part of setting up the SSO federation.
It would be unusual to receive a SAML response at your assertion consumer service from an unknown partner IdP and then dynamically update your configuration to include the partner IdP.
Updating existing SAML configuration is a more common process. For example, the partner’s certificate may need to be updated.
In both cases, SAML configuration should be set programmatically.
http://www.componentspace.com/Forums/38/Specifying-the-SAML-Configuration-Programmatically
For multi-tenancy applications, you need to identify the tenant before specifying which SAML configuration to use.
This is true whether acting as the IdP or SP.
http://www.componentspace.com/Forums/51/SAML-MultiTenancy-Applications
I may not have understood your scenario so please ask again if that’s the case.

No, it isn’t thread safe.
If you update the SAML configuration whilst SSO requests are being processed it’s possible these requests will fail, depending on what changes you make. Subsequent SSO requests should succeed.

No, changing the ConfigurationID is safe.
It’s stored in the internal SAML state which is different for each user.
You can safely be processing multiple SSO requests for different tenants without any issues.

You’re welcome.