SP clock skew for Weblogic

Joseph Valerio joseph.valerio at yale.edu
Wed Nov 9 16:01:37 GMT 2011

Hi All,

We are implementing local weblogic SPs.  After many trials we have 
finally succeeded with authentication, most of the time.  The issue is 
that our SPs are receiving the response before it is valid, ie. the 
not-before timestamp is in the future.  Our servers are running on 
windows, and Windows Time Services don't cut the mustard.  We have 
installed real NTP services and brought tolerances down to acceptable 
levels where the probability of a failure is very low, but not zero.  
Weblogic, I mean Oracle, has settings for time skew in their IdP impl, 
not there SP impl.  I know that shib's SP allows for such a skew and I 
completely agree that this setting belongs in the SP, but is there 
anything in the SAML 2.0 specification that hints to such a practice.  
Oracle is taking a stance that they are SAML 2.0 compliant and this 
functionality would be a feature request, but if I had the spec behind 
me, I might be able to get it in as a defect and have a quicker time to 

Thanks in advance,

- Joe

Joseph Valerio

Senior Solution Architect

Yale University
Shared Solution Group
Information Technology Services

phone: 203-432-1196
email: joseph.valerio at yale.edu
smail: 25 Science Park, New Haven, CT 06511
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111109/dea3876b/attachment.html 

More information about the users mailing list