Use Time Skew When Verifying SAML 1.1 Responses

4258 views June 15, 2017 October 22, 2019 7

Note: SAML 1.1 will be deprecated soon. If you are working on a new integration, we strongly recommend that you use OIDC instead.

If you experience error messages like “The assertion is expired”, or “The assertion is not valid yet” when validating a SAML response from Signicat, this is because the current time is outside the SAML assertions’ validity period. This problem can often be solved by adjusting the time skew configuration setting.

For security reasons, the SAML assertions’ validity period is limited to 30 seconds. Its lifetime can not be extended. A common problem is that if the receivers clock is just one or two seconds late, while the real redirection latency is short, then the receiver (“the SAML consumer”) will see the SAML assertion as created “in the future”, and the verification will fail.

By adjusting the SAML consumer clock by the amount of seconds in the time skew property, the whole validity window can be moved to make the verification function less vulnerable for a late (or early) clock on the consumers end. A “normal” setting for time skew is 5 seconds. If you experience many errors of type “the assertion is expired” — decrease time skew. If you experience many errors of type “the assertion was created in the future” — increase time skew.

But preferably, make sure your servers are NTP synced at all time.

Was this helpful?