Tolerance is configurable in the Java client. Is that not working? It should be applied to both the begin and after time.
Cheers, Scott On Mon, Jun 14, 2010 at 6:15 PM, Dale Ogilvie <[email protected]>wrote: > Hello, > > We have run into a silly problem with the CAS client a couple of times. > One of our application servers had its clock go out of sync, and so the > SAML ticket validation response was invalid as the time on the server > was outside the valid time range stamped on the response. > > My understanding is that the SAML response is stamped with a time range > representing CAS server *now* to now+1 minute. > > Case 1: If the client server is running slightly behind the CAS server, > the response will be in the client's future and will be denied. > Case 2: If the client server is running over a minute ahead of the CAS > server, the response will be in the past and will be denied. > > My request is to loosen things up for case 1, by stamping the SAML > response with the time range *now minus 5 seconds* to now+1 minute. > > Reasonable idea? > > Thanks > > Dale > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
