SAML AuthInstant is after server time
Peter Schober
peter.schober at univie.ac.at
Thu Nov 20 03:07:09 EST 2014
* Vignesh, Vanna G. <vignesh at musc.edu> [2014-11-20 00:23]:
> <saml2:Conditions NotBefore="2014-11-19T01:38:01.167Z" NotOnOrAfter="2014-11-19T01:43:01.167Z">
> <saml2:AuthnStatement AuthnInstant="2014-11-19T01:38:00.620Z"
Interesting, I see something similar on a system of my own, where the
IDP issues these:
<saml2:Conditions NotBefore="2014-11-20T07:59:55.007Z" NotOnOrAfter="2014-11-20T08:04:55.007Z">
and
<saml2:AuthnStatement AuthnInstant="2014-11-20T07:54:54.434Z" ...>
The SP in question is the Shibboleth SP, which accepts this (probably
to the default clock skew of 3 min).
I just wonder why the IDP issues such assertions, with NotBefore full
5 minutes later than the AuthnInstant. (Started a fresh browser
session, no session at IDP or SP.)
-peter
More information about the users
mailing list