Jump to content
Welcome to our new Citrix community!

Configure NotOnOrAfter in SAML response


Ross Bender

Recommended Posts

We have a AAA virtual server that acts as our identify provider (IdP) for handling our SAML SSO requests. I am wanting to change the SAML response so that the third party application knows how long the SSO is valid for.

 

If I look at the SAML response that is being generated, the NotOnOrAfter value is set to 10 minutes in the future (2 different locations). Relevant snippet of SAML response:

<saml:Subject>
	<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">myuser@company.org</saml:NameID>
	<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
		<saml:SubjectConfirmationData NotOnOrAfter="2019-04-16T17:10:29Z" Recipient="https://exampleapp.com"/>
	</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-04-16T17:00:29Z" NotOnOrAfter="2019-04-16T17:10:29Z">
	<saml:AudienceRestriction>
		<saml:Audience>https://exampleapp.com</saml:Audience>
	</saml:AudienceRestriction>
</saml:Conditions>

 

How can this be modified?

Link to comment
Share on other sites

That depends on the "skew time" configured on the saml action.  By default it's 5 mins, this is to allow for any clock skew on the SP Side. What you're seeing is not actually 10 mins in the future, its 5 mins before assertion issue time to 5 mins after assertion issue time

 

Example:

 

Time the assertion was issued | 00:52:48

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="XXXXXX" ID="XXXX" InResponseTo="XXXXX" IssueInstant="2019-04-12T00:52:48Z" Version="2.0">

 

 

Response is valid for 5 mins before to 5 mins after | 00:47:58 to 00:57:58
NotBefore="2019-04-12T00:47:48Z" 
NotOnOrAfter="2019-04-12T00:57:48Z"

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...