SAML AuthInstant is after server time
Nate Klingenstein
ndk at internet2.edu
Wed Nov 19 22:48:29 EST 2014
Vanna,
We are having an issue with one of the SPs. AuthInstant is a second before the validity time period. So, the SP is receiving the expired certificate error. How to match them?
I’m not sure that I’m getting your question completely. I can’t think through why an AuthnInstant could be related to a certificate expiration, though, so I’m going to guess you meant assertion.
We even tried server ntp restart.
<saml2:Conditions NotBefore="2014-11-19T01:38:01.167Z" NotOnOrAfter="2014-11-19T01:43:01.167Z">
<saml2:AuthnStatement AuthnInstant="2014-11-19T01:38:00.620Z”
These timestamps seem very close and acceptable to most SP’s. I would be more suspicious of the SP than your IdP. They need to permit for some modest amount of clock skew.
Hope this helps,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141120/011b7a4e/attachment.html
More information about the users
mailing list