Shibboleth SP Conditions Rule to assert NotBefore and NotOnOrAfter

Mak, Steve makst at
Thu Jan 28 18:00:31 UTC 2021


Are you trying to force a new user session using that attribute?

If so, that's not what that attribute is used for. It's used for defining the validity window of a SAML response/assertion.

If the SP is retaining a valid user session for longer than you like, that's in the Shib SP settings for session duration.

On 1/28/21, 12:16, "users on behalf of Kalluru, Prasanth (ELS-LON)" <users-bounces at on behalf of p.kumar.13 at> wrote:

    Thanks Scott,

    Is the SP granting access because of NotOnOrAfter still present in the SAML response?

    What kind of enforcement/check this PolicyRule makes in SP?

    	<PolicyRule type="Conditions">
                		<PolicyRule type="Audience"/>
    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list