mace-opensaml-users - Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>
Subject: OpenSAML user discussion
List archive
Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>
Chronological Thread
- From: "Cantor, Scott E." <>
- To: "" <>
- Subject: Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>
- Date: Mon, 2 May 2011 17:05:06 +0000
- Accept-language: en-US
On 5/2/11 1:00 PM, "Gina Choi"
<>
wrote:
>Thanks for your response. Sorry, NotOnOrAfter timestamp in the Conditions
>is
>one hour ahead instead of two hours.
I thought you said the confirmation window was the one that was ahead of
the other. That means it's as expected.
> By the way where are the 5 min and 1
>hour coming from? Is this implementation specific?
It's policy and profile specific (or should be).
> Timeframe of NotOnOrAfter
>in SubjectConfirmationData(5min) is much shorter than the one in the
>Conditions(60min).
It should be.
> Because of time off between identity server and relying
>party server can happen, I am thinking that verifying NotONOrAfter in the
>Conditions tag is realistic than the one in the SubjectConfirmation. Your
>advise would be appreciated.
Clock synchronication is a requirement in SAML and most security
protocols. Doing what you propose is wrong, and would be insecure.
-- Scott
- [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
- RE: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Gina Choi, 05/02/2011
- Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>, Cantor, Scott E., 05/02/2011
Archive powered by MHonArc 2.6.16.