Hello, We have run into a silly problem with the CAS client a couple of times. One of our application servers had its clock go out of sync, and so the SAML ticket validation response was invalid as the time on the server was outside the valid time range stamped on the response.
My understanding is that the SAML response is stamped with a time range representing CAS server *now* to now+1 minute. Case 1: If the client server is running slightly behind the CAS server, the response will be in the client's future and will be denied. Case 2: If the client server is running over a minute ahead of the CAS server, the response will be in the past and will be denied. My request is to loosen things up for case 1, by stamping the SAML response with the time range *now minus 5 seconds* to now+1 minute. Reasonable idea? Thanks Dale -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
