Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Clock Drift and NotBefore

See original GitHub issue

We are frequently seeing SAML response validation errors when the SP clock becomes out of sync with the IdP. Many other libraries have exposed some sort of acceptedClockSkew field in order to handle this case.

Are there any plans to update the library to handle clock skew (it should be a fairly small change) / are there any ways to disable validation, so we can perform it manually?

Example:

notBefore_skew in saml2-js

See similar issues:

https://github.com/onelogin/ruby-saml/issues/17

Issue Analytics

State:
Created 4 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

tngancommented, Jun 26, 2019

@keerthivasan-r Usually the expiration time for saml response is around 5 minutes to 10 minutes, the clock skew for notAfter is actually useless in this case, because the notBefore check is relatively close to the issued time of response.

UPDATE: this feature will be implemented and included in the next patch release

notBeforeSkew would be a number instead of a boolean

0reactions

fas3rcommented, Feb 10, 2020

Hello @tngan ,

Im sorry to ask here but as it’s related I can open a new issue if you want.

I dont know if you remember but I wrote the okta article and at that time I was still using the 2.5 and I just migrated to 2.7.1.

However now I’m getting the warning You intend to have time validation however the document doesn't include the valid range

I checked in the okta application and I dont see how to set NotBefore and notAfter. Is it something that I need to create on my own with the template & attribute ?

I’m using the import * as validator from '@authenio/samlify-xsd-schema-validator'; by default.

Thanks