Shibboleth SP Conditions Rule to assert NotBefore and NotOnOrAfter

Cantor, Scott cantor.2 at
Thu Jan 28 17:32:23 UTC 2021

On 1/28/21, 12:16 PM, "users on behalf of Kalluru, Prasanth (ELS-LON)" <users-bounces at on behalf of p.kumar.13 at> wrote:

>    Is the SP granting access because of NotOnOrAfter still present in the SAML response?

Conditions @NotOnOrAfter is also not required by the profile. SubjectConfirmationData @NotOnOrAfter is a requirement of the profile. That is not the same thing.

The SP enforces the profile and the requirements of core constructs. It doesn't allow something because something is or isn't there, it requires what has to be there to be present and it enforces the requirements of anything that's present that has mandatory semantics so can't be ignored.

> What kind of enforcement/check this PolicyRule makes in SP?

It enables enforcement of Conditions @NotBefore and @NotOnOrAfter when they're present and it configures awareness of and correct processing of AudienceRestriction conditions so they get checked. It rejects any other conditions as being of indeterninate validity so that they result in an error because Conditions have to be understood to be valid. They have mandatory semantics. 

-- Scott

More information about the users mailing list