gosaml2 icon indicating copy to clipboard operation
gosaml2 copied to clipboard

Published 20 hours ago verified publisher icon russellhaering

Clock skew for service provider

Open angusshire opened this issue 5 years ago • 3 comments

If the IdP and SP times are out of sync, then the SP may end up mistaking a valid SAML assertion as invalid. Therefore, we should be able to specify a clock skew to use for the service provider so that values within clock skew range of the NotBefore, NotOnOrAfter, or SessionNotOnOrAfter constraints are treated as valid.

angusshire avatar Jul 15 '19 21:07 angusshire

PR #71 for this feature. Please let me know your inputs.

konaraya avatar Aug 08 '20 17:08 konaraya

+1 for adding a configurable clock skew up to a limit, say 5 min. At which point should probably fix the cause of the skew instead of extending the skew.

mfridman avatar Sep 27 '21 22:09 mfridman

Would also like. Active Directory tends to issue SAML assertions with NotBefore times with millisecond precision and no margin for error or clock drift.

lpar avatar May 20 '22 18:05 lpar