OpenSAML user discussion

["Gina Choi" <>]

Thanks for your response. Sorry, NotOnOrAfter timestamp in the Conditions is
one hour ahead instead of two hours. By the way where are the 5 min and 1
hour coming from? Is this implementation specific? Timeframe of NotOnOrAfter
in SubjectConfirmationData(5min) is much shorter than the one in the
Conditions(60min). Because of time off between identity server and relying
party server can happen, I am thinking that verifying NotONOrAfter in the
Conditions tag is realistic than the one in the SubjectConfirmation. Your
advise would be appreciated.

Gina Choi

-----Original Message-----
From: 

[mailto:]
 On Behalf Of Cantor, Scott
E.
Sent: Monday, May 02, 2011 12:37 PM
To: 

Subject: Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData>
and <Conditions>

On 5/2/11 12:33 PM, "Gina Choi" 
<>
 wrote:
>The following is part of assertion token. NotOnOrAfter is in both
><SubjectConfirmation> and <Conditions> tags. The NotOnOrAfter timestamp in
>the SubjectConfirmation tag is around two hours ahead and the one in the
>Conditions tag is 5 min ahead then current time.

That's backwards from accepted norms for bearer assertions, but a
condition is going to be an upper bound on subject confirmation anyway.

>I looked at document for
>Assertion protocols and it seems that NotOnOrAfter in the
>SubjectConfirmation
>is to restrict Subject data while the one in the Conditions tag is to
>restrict the Assertion token, but I wonder why do we need NotOnOrAfter in
>both places? Isn't one in the either place enough?

No, since they serve completely different functions.

-- Scott