OpenSAML user discussion

["Gina Choi" <>]

>It's policy and profile specific
I am using Web Browser SSO profile, SP initialed Redirect->POST binding.


>Clock synchronication is a requirement in SAML and most security
>protocols. Doing what you propose is wrong, and would be insecure.

1. How do I force clock synchronizations between two servers?
2. Could you recommend correct way of verifying NotOnOrAftr timestamp? 

Thank you.

Gina Choi

-----Original Message-----
From: 

[mailto:]
 On Behalf Of Cantor, Scott
E.
Sent: Monday, May 02, 2011 1:05 PM
To: 

Subject: Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData>
and <Conditions>

On 5/2/11 1:00 PM, "Gina Choi" 
<>
 wrote:
>Thanks for your response. Sorry, NotOnOrAfter timestamp in the Conditions
>is
>one hour ahead instead of two hours.

I thought you said the confirmation window was the one that was ahead of
the other. That means it's as expected.

> By the way where are the 5 min and 1
>hour coming from? Is this implementation specific?

It's policy and profile specific (or should be).

> Timeframe of NotOnOrAfter
>in SubjectConfirmationData(5min) is much shorter than the one in the
>Conditions(60min).

It should be.

> Because of time off between identity server and relying
>party server can happen, I am thinking that verifying NotONOrAfter in the
>Conditions tag is realistic than the one in the SubjectConfirmation. Your
>advise would be appreciated.

Clock synchronication is a requirement in SAML and most security
protocols. Doing what you propose is wrong, and would be insecure.

-- Scott