Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>

Subject: OpenSAML user discussion

List archive

[OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>


Chronological Thread 
  • From: "Gina Choi" <>
  • To: <>
  • Subject: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>
  • Date: Mon, 2 May 2011 12:33:25 -0400

The following is part of assertion token. NotOnOrAfter is in both
<SubjectConfirmation> and <Conditions> tags. The NotOnOrAfter timestamp in
the SubjectConfirmation tag is around two hours ahead and the one in the
Conditions tag is 5 min ahead then current time. I looked at document for
Assertion protocols and it seems that NotOnOrAfter in the SubjectConfirmation
is to restrict Subject data while the one in the Conditions tag is to
restrict the Assertion token, but I wonder why do we need NotOnOrAfter in
both places? Isn't one in the either place enough?


<Subject>
<NameID>gchoi</NameID>
<SubjectConfirmation Method =
"urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter =
"2011-04-12T18:37:00.243Z" Recipient
="https://wkensv0303.global.sdl.corp:8443/servletTestApp/testServlet"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore = "2011-04-12T18:32:00.237Z" NotOnOrAfter =
"2011-04-12T19:32:00.237Z">
<AudienceRestriction>

<Audience>https://wkensv0303.global.sdl.corp:8443/servletTestApp</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>

Thanks.

Gina



Archive powered by MHonArc 2.6.16.

Top of Page