SAML AuthInstant is after server time

Nate Klingenstein ndk at
Wed Nov 19 22:48:29 EST 2014


We are having an issue with one of the SPs. AuthInstant is a second before the validity time period. So, the SP is receiving the expired certificate error. How to match them?

I’m not sure that I’m getting your question completely.  I can’t think through why an AuthnInstant could be related to a certificate expiration, though, so I’m going to guess you meant assertion.

We even tried server ntp restart.
<saml2:Conditions NotBefore="2014-11-19T01:38:01.167Z" NotOnOrAfter="2014-11-19T01:43:01.167Z">
<saml2:AuthnStatement AuthnInstant="2014-11-19T01:38:00.620Z”

These timestamps seem very close and acceptable to most SP’s.  I would be more suspicious of the SP than your IdP.  They need to permit for some modest amount of clock skew.

Hope this helps,
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list