Time skew issue?

Ernie Kinsey Ernie.Kinsey at cpcc.edu
Mon May 7 11:18:15 EDT 2018 

I'm running into an issue wherein the AuthnInstant value is preceding the NotBefore value, and I'm working on the assumption (unconfirmed) that the app with which I'm integrating (Webex) won't authenticate because it thinks I'm asking for access before the ticket is valid.  For instance, I'm getting the following:

AuthnInstant = "2018-05-07T13:43:18.310Z"
NotBefore    = "2018-05-07T13:43:18.932Z"
NotOnOrAfter = "2018-05-07T13:48:18.932Z"

Which makes is look like I'm asking for access about 3/4 of a second too soon.  I got a tip that this might have to do with a time "skew" that could be set in the IdP, and I found a couple of places that might be modified to address this issue; one is in the conf/idp.properties file's setting:

idp.policy.clockSkew = PT3M

Which was commented out.  Thinking this might fix my problem, I uncommented it, restarted my instance, and got the same kind of results.  Was this the wrong thing to change, or was there something else in that file which would also need to change?

The other thing I found is a reference here:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML

Which talks about a file called "shibboleth2.xml" that doesn't exist on my installation.  There's some discussion about an element called "clockSkew" that would be set in this file - is this the right place to adjust/set the skew value?  If so, is the file in question a non-standard part of the Shibboleth deployment that I need to create for myself?  As always, any assistance would be much appreciated.

Thanks,
Ernest K. Kinsey, Jr.
Central Piedmont Community College
Charlotte, NC

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.

More information about the users mailing list