SAML assertion timeout

webdev1 · October 19, 2015, 11:11am

Hello,
Could you let me know what could cause this exception?
“The SAML assertion is outside the valid time period.”
Thanks

ComponentSpace · October 19, 2015, 1:37pm

The SAML assertion typically includes NotBefore and NotOnOrAfter conditions. This means that the SAML assertion is only valid for the specified time period. This helps detect replay attacks.
Make sure that the times are correct on both the identity provider server and service provider server. If they’re off by too much then this will cause the error you see.
If there’s still an issue, please enable SAML trace and send the generated log file to support@componentspace.com. We can then take a look at exactly what’s going on with the times.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace

webdev1 · October 19, 2015, 2:15pm

Thanks. SP server time is 3 mins behind.

webdev1 · October 25, 2015, 10:27pm

I guess this is the message that you would see when there is a replay attack?
“The SAML assertion is being replayed.”
Am I correct in saying assertions are by default valid for 1.5 minutes before and after?
How do I change before and after time limit in config?

ComponentSpace · October 26, 2015, 12:56am

That’s correct. The error message indicates the assertion has been replayed.
If you use our product to generate the SAML assertion then by default it’s valid for 3 minutes before and after now.
You can change this period by specifying an AssertionLifetime for the in the SAML configuration. The format is AssertionLifeTime=“hh:mm:ss”. The default is “00:03:00” ie 3 minutes either side of now.
There is no default validity period for assertions across SAML offerings. However, typically a period of a few minutes is suitable.

webdev1 · October 26, 2015, 8:13am

Yes we have been using your product since summer.
I am seeing few replay attacks which might be user error as they could be using same session.
In this case we are SP and I want the user to know they have to login again. So when there is replay attack I am thinking of redirect to SP SSO UI to initiate a new request.

ComponentSpace · October 26, 2015, 1:41pm

Yes, that’s one option. Another is to display a generic error message and ask the user to try again.
These could be genuine replay attacks or it could be that users are hitting the browser’s back button during the SSO process.