SAML flow within MFA flow - possible c14n problem

Cantor, Scott cantor.2 at
Mon Sep 19 16:45:20 UTC 2022

On 9/19/22, 5:07 AM, "John Watt" <John.Watt at> wrote:

>    I notice that "x" for the login flow entry (and not the _session) always
> seems to be ten minutes ahead of the current time plus the timeout i have
> set, so I guess this has got the default cleanupInterval time added?

> but when running the SAML flow the ts number remains the same as the
> first expired flow (despite the "x" updating successfully).

The creation or "authentication" time of a result for a proxied authentication is set by default to the value provided by the IdP, from the SAML assertion. That value isn't changing (apparently, it would depend on the IdP). Thus, you're relying on an old authentication event and would need to account for that in your policy governing those results.

If you want to ignore the IdP and just reset it each time, even though that isn't strictly speaking "true", you can set proxiedAuthnInstant to false in the SAML2.SSO bean, per the profile documentation., under profile-specific settings.

I had no memory of any of that, but you were specific enough to direct me to review the settings and how that value is established.

-- Scott

More information about the users mailing list