We have experienced this problem especially when using virtual machines/silaris ldoms. It would help tremendously to set this on the server.
Thanks Rhian Sent from my iPhone On Jun 15, 2010, at 9:25 AM, "Marvin Addison" <marvin.addi...@gmail.com> wrote: >> My understanding is that the SAML response is stamped with a time >> range >> representing CAS server *now* to now+1 minute. > > Looks like it's 30 seconds: > > /** The amount of time in milliseconds this is valid for. */ > private long issueLength = 30000; > >> My request is to loosen things up for case 1, by stamping the SAML >> response with the time range *now minus 5 seconds* to now+1 minute. > > That's a promising idea; I recommend we take it a step further and > define configurable tolerance parameter that creates a +/- offset from > the current time: > > final SAMLAssertion samlAssertion = new SAMLAssertion(); > samlAssertion.setIssueInstant(currentDate); > samlAssertion.setIssuer(this.issuer); > samlAssertion.setNotBefore( > new Date(currentDate.getTime() - this.tolerance)); > samlAssertion.setNotOnOrAfter( > new Date(currentDate.getTime() + this.tolerance + this.issueLength)); > > I believe this could obsolete the tolerance parameter in the > Saml11TicketValidator of the Java CAS client. Moving configuration > from the client to the server has obvious benefits. If we move > forward with this plan, we should consider a reasonable default > tolerance value. I think there is evidence that the 1 second default > value in the Java client is too strict. I think 5s sounds about > right. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: rresn...@fau.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
