Clock Drift and NotBefore
See original GitHub issueWe are frequently seeing SAML response validation errors when the SP clock becomes out of sync with the IdP. Many other libraries have exposed some sort of acceptedClockSkew
field in order to handle this case.
Are there any plans to update the library to handle clock skew (it should be a fairly small change) / are there any ways to disable validation, so we can perform it manually?
Example:
See similar issues:
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Adjust clock drift to avoid notbefore time errors when ... - GitLab
This error is presented after logging in with the connected identity provider and being redirected back to GitLab. Proposal. Track down this ...
Read more >Allow clock drift when validating NotBefore and NotOnOrAfter ...
The idea is to add a new setting to the 'onelogin.saml.properties' with the clock drift value, by default 180 (3min), and use it...
Read more >NotBefore condition in assertions
2) Assuming IdP & SP are synced to GPS clock, would 20ms network delay >> help >> in covering for IdP clock drift...
Read more >SAML Assertion NotBefore,NotOnOrAfter problem due to ...
As a solution to this, consumer of the time stamp should allow for a little clock skew to account for small clock drifts...
Read more >Clock drift - Wikipedia
Clock drift refers to several related phenomena where a clock does not run at exactly the same rate as a reference clock. That...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@keerthivasan-r Usually the expiration time for saml response is around 5 minutes to 10 minutes, the clock skew for notAfter is actually useless in this case, because the
notBefore
check is relatively close to the issued time of response.UPDATE: this feature will be implemented and included in the next patch release
notBeforeSkew
would be a number instead of a booleanHello @tngan ,
Im sorry to ask here but as it’s related I can open a new issue if you want.
I dont know if you remember but I wrote the okta article and at that time I was still using the 2.5 and I just migrated to 2.7.1.
However now I’m getting the warning
You intend to have time validation however the document doesn't include the valid range
I checked in the okta application and I dont see how to set
NotBefore
andnotAfter
. Is it something that I need to create on my own with the template & attribute ?I’m using the
import * as validator from '@authenio/samlify-xsd-schema-validator';
by default.Thanks