timestamp issue

Ian Young ian at iay.org.uk
Mon Nov 19 07:29:30 EST 2012

On 19 Nov 2012, at 12:08, C G <ci_98yr at yahoo.com> wrote:

> Before 'go further,
> let me mention, ' _do not (or prefer)_ have control on setting the clock 
> on shib idp server

You can't do networked security without accurate clocks.  You need to get the clock on the IdP server set correctly.  It doesn't need to be within milliseconds, but it does need to be in the ballpark and more importantly it needs to be actively kept that way.  Every modern OS has something built-in to do this, you just need to turn it on.

> , nor 'control the sp's time zone which are in a different timezone.

Time zone does not matter, because all times in SAML messages are expressed in UTC.

> Is there a way that 'can tweak the idp config? Any security issues? Is there some valve that 'can turn on to get the message timestamp
> translated into (mapped) to idp server timestamp so it maps and gets correctly interpreted?

Just fix the IdP clock and everything will work.

	-- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121119/9139fe8f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20121119/9139fe8f/attachment.bin 

More information about the users mailing list