SAML AuthInstant is after server time

Cantor, Scott cantor.2 at
Thu Nov 20 09:44:58 EST 2014

On 11/20/14, 8:09 AM, "Peter Schober" <peter.schober at> wrote:

>* Peter Schober <peter.schober at> [2014-11-20 09:07]:
>> I just wonder why the IDP issues such assertions, with NotBefore full
>> 5 minutes later than the AuthnInstant. (Started a fresh browser
>> session, no session at IDP or SP.)
>The Assertion/@IssueInstant matches the Conditions/@NotBefore exactly.
>So where does the AuthnInstant value come from?

The time of the original authentication, or at least it should. I think 
Eric would have caught us on that if we were getting it wrong.

-- Scott

More information about the users mailing list