How Should Shib SP Handle an Expired Assertion?

[Cantor, Scott]

On 8/16/13 10:56 AM, "Andrew Owen" <andrew at search.org> wrote:

>(well, I¹m writing to confirm whether this is an issue) I¹m seeing is
>that the SP allows a user to access a protected resource even when the
>SAML assertion has expired.

The assertion expiration has nothing to do with session lifetime. It
applies to initial acceptance, and applies to reuse, not to session
behavior. The actual time that matters is the bearer confirmation
expiration, but the overall expiration is also checked at initial
acceptance, though it's redundant. I don't know which one you're even
checking here, but there are two, and neither of them mean what you're
thinking about.

SessionNotOnOrAfter does however, and is the only aspect of SAML, apart
from logout, that has anything to say about a session of any kind.

-- Scott