Shibboleth SP Conditions Rule to assert NotBefore and NotOnOrAfter

Kalluru, Prasanth (ELS-LON) p.kumar.13 at
Thu Jan 28 16:13:41 UTC 2021

We have configured our Shibboleth SP "SecurityPolicies" like below

<SecurityPolicies xmlns="urn:mace:shibboleth:3.0:native:sp:config">

    <Policy id="default" validate="false">
        <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
        <PolicyRule type="Conditions">
            <PolicyRule type="Audience"/>
        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
        <PolicyRule type="SimpleSigning" errorFatal="true"/>

    <Policy id="entity-attributes">
        <PolicyRule type="Conditions"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>

    <AlgorithmBlacklist includeDefaultBlacklist="true"/>

As per this documentation, if we have "Conditions Rule", SP enforces the NotBefore and NotOnOrAfter attributes during assertion.

During our testing, in one of our Shibboleth IdP, we disabled 'NotBefore' attribute in relying-party.xml like below
 <bean parent="SAML2.SSO" p:includeConditionsNotBefore="false" />
<bean parent="Shibboleth.SSO" p:includeConditionsNotBefore="false" />
After this change IdP is sending SAML response Conditions only with NotOnOrAfter, like below

<saml2:Conditions NotOnOrAfter="2021-01-28T11:41:16.517Z">

But my Shibboleth SP still granting access even NotBefore attribute is absent in SAML response.

Could someone help me to understand, Is Shibboleth SP rejects access only if both NotBefore and NotOnOrAfter attributes absent in SAML response?
Or Am I doing any wrong with my SP configuration?

Just for my testing, is there any way to disable NotOnOrAfter in my Shibboleth IdP?

Prasanth K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list