SP clock skew for Weblogic
Joseph Valerio
joseph.valerio at yale.edu
Wed Nov 9 16:01:37 GMT 2011
Hi All,
We are implementing local weblogic SPs. After many trials we have
finally succeeded with authentication, most of the time. The issue is
that our SPs are receiving the response before it is valid, ie. the
not-before timestamp is in the future. Our servers are running on
windows, and Windows Time Services don't cut the mustard. We have
installed real NTP services and brought tolerances down to acceptable
levels where the probability of a failure is very low, but not zero.
Weblogic, I mean Oracle, has settings for time skew in their IdP impl,
not there SP impl. I know that shib's SP allows for such a skew and I
completely agree that this setting belongs in the SP, but is there
anything in the SAML 2.0 specification that hints to such a practice.
Oracle is taking a stance that they are SAML 2.0 compliant and this
functionality would be a feature request, but if I had the spec behind
me, I might be able to get it in as a defect and have a quicker time to
implementation.
Thanks in advance,
- Joe
--
Joseph Valerio
Senior Solution Architect
Yale University
Shared Solution Group
Information Technology Services
phone: 203-432-1196
email: joseph.valerio at yale.edu
smail: 25 Science Park, New Haven, CT 06511
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111109/dea3876b/attachment.html
More information about the users
mailing list