SAML AuthInstant is after server time

Peter Schober peter.schober at
Thu Nov 20 03:07:09 EST 2014

* Vignesh, Vanna G. <vignesh at> [2014-11-20 00:23]:
> <saml2:Conditions NotBefore="2014-11-19T01:38:01.167Z" NotOnOrAfter="2014-11-19T01:43:01.167Z">
> <saml2:AuthnStatement AuthnInstant="2014-11-19T01:38:00.620Z"

Interesting, I see something similar on a system of my own, where the
IDP issues these:

<saml2:Conditions NotBefore="2014-11-20T07:59:55.007Z" NotOnOrAfter="2014-11-20T08:04:55.007Z">
<saml2:AuthnStatement AuthnInstant="2014-11-20T07:54:54.434Z" ...>

The SP in question is the Shibboleth SP, which accepts this (probably
to the default clock skew of 3 min).

I just wonder why the IDP issues such assertions, with NotBefore full
5 minutes later than the AuthnInstant. (Started a fresh browser
session, no session at IDP or SP.)

More information about the users mailing list