Shibboleth Developers

[Jim Fox <>]

And looking closer it seems that the time coming in is seconds,
but the DateTime constructor wants milliseconds.  Multiplying
the "time" by 1000 makes it work.  Don't know if that's a
proper solution though.

Jim

> Looking closer I see that near the end of ShibbolethSSODecoder, where
> the issue instant is set,
>
>   long time = Long.parseLong(timeStr);
>
> gives:  1194389214
>
> but
>
>   new DateTime(time, ISOChronology.getInstanceUTC());
>
> returns:  1970-01-14T19:46:29.214Z
>
>
> Jim
>
>
>
> > Since upgrading to the latest IdP code I've started to
> > get this error on the authn first leg.
> >
> > > 13:46:22.401 ERROR 
> > > [org.opensaml.common.binding.security.MessageReplayRule] Message contained 
> > > no ID, replay check not possible
> > >
> > > 13:46:22.402 ERROR [org.opensaml.common.binding.security.IssueInstantRule] 
> > > Message was expired: message issue time was '1970-01-14T19:46:25.582Z', 
> > > message expired at: '1970-01-14T19:51:35.582Z', current time: 
> > > '2007-11-06T13:46:22.402-08:00'
> > >
> > > 13:46:22.402 ERROR 
> > > [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler] 
> > > Shibboleth SSO request does not meet security requirements
> > > org.opensaml.ws.security.SecurityPolicyException: Message was rejected due 
> > > to issue instant expiration
> >
> > It looks like someone, somewhere is getting a zero for the issue time.  The 
> > same SP (also 2.0) works with other IdPs.
> >
> > Jim