Does the CAS SAML SP implementation (3.5.1 or newer) allow for/have clock skew on NotBefore? Being optional, can this CAS SAML SP implementation ignore NotBefore?
This CAS SP (3.5.1) is having a problem with occasional clock skew (here about two seconds) with the IdP (Shibboleth). > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - Assertion > issued at 2015-09-09T18:05:13.643Z > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - Right now > it's 2015-09-09T18:05:11.863Z > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - NotBefore > = 2015-09-09T18:05:13.643Z > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - Assertion > doesn't meet NotBefore condition. > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - notBefore > = 2015-09-09T18:05:13.643Z > 2015-09-09 13:05:11,863 DEBUG [org.jasig.cas.util.ServiceHelper] - current > time = 2015-09-09T18:05:11.863Z One alternative might be to configure the IdP to disable sending NotBefore. Discussion threads on the topic suggest this is an SP bug and really should be fixed there. I have no control over the CAS SP. Insights? Thanks. Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
