Jump to content
Welcome to our new Citrix community!

Configure NotOnOrAfter in SAML response

Ross Bender

Recommended Posts

We have a AAA virtual server that acts as our identify provider (IdP) for handling our SAML SSO requests. I am wanting to change the SAML response so that the third party application knows how long the SSO is valid for.


If I look at the SAML response that is being generated, the NotOnOrAfter value is set to 10 minutes in the future (2 different locations). Relevant snippet of SAML response:

	<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">myuser@company.org</saml:NameID>
	<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
		<saml:SubjectConfirmationData NotOnOrAfter="2019-04-16T17:10:29Z" Recipient="https://exampleapp.com"/>
<saml:Conditions NotBefore="2019-04-16T17:00:29Z" NotOnOrAfter="2019-04-16T17:10:29Z">


How can this be modified?

Link to comment
Share on other sites

That depends on the "skew time" configured on the saml action.  By default it's 5 mins, this is to allow for any clock skew on the SP Side. What you're seeing is not actually 10 mins in the future, its 5 mins before assertion issue time to 5 mins after assertion issue time




Time the assertion was issued | 00:52:48

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="XXXXXX" ID="XXXX" InResponseTo="XXXXX" IssueInstant="2019-04-12T00:52:48Z" Version="2.0">



Response is valid for 5 mins before to 5 mins after | 00:47:58 to 00:57:58

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...