OpenSAML user discussion

["Gina Choi" <>]

The following is part of assertion token. NotOnOrAfter is in both
<SubjectConfirmation> and <Conditions> tags. The NotOnOrAfter timestamp in
the SubjectConfirmation tag is around two hours ahead and the one in the
Conditions tag is 5 min ahead then current time. I looked at document for
Assertion protocols and it seems that NotOnOrAfter in the SubjectConfirmation
is to restrict Subject data while the one in the Conditions tag is to
restrict the Assertion token, but I wonder why do we need NotOnOrAfter in
both places? Isn't one in the either place enough?


        <Subject>
            <NameID>gchoi</NameID>
            <SubjectConfirmation Method =
"urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter =
"2011-04-12T18:37:00.243Z" Recipient
="https://wkensv0303.global.sdl.corp:8443/servletTestApp/testServlet"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore = "2011-04-12T18:32:00.237Z" NotOnOrAfter =
"2011-04-12T19:32:00.237Z">
            <AudienceRestriction>
 
<Audience>https://wkensv0303.global.sdl.corp:8443/servletTestApp</Audience>
            </AudienceRestriction>
        </Conditions>
                <AttributeStatement>

Thanks.

Gina