Symantec Access Management

  • Private Community
 View Only

  • 1.  SAML IssueInstant and AuthnInstant

    Posted Aug 24, 2016 02:06 PM

    Hi All,

     

        We are acting as IDP and we have maxTimeout setting of 6 hrs, and partner SP is having security setting of 2

    Request flow: User logs in the system and do navigation on IDP side and then click on SP link to establish SSO with SP.

     

    Issue: user logs in IDP navigate on the website and click on SP link after 3 hours. The SAML generates gives a timestamp of user logged in for the first time:

     

    <ns2:AuthnStatement AuthnInstant="2016-08-24T16:28:23Z" (Time of authentication for the first time)

     

    IssueInstant="2016-08-24T19:41:29Z" (Time when user click on SP link)

              Version="2.0"

     

    now because partner is having 2 hrs of security setting, they are considering this request as failed request.

     

    Is there is a way in Siteminder we can send IssueInstant time as AuthnInstant time? This way the generated SAML will not fail on SP side. Or any other suggestion to handle this issue.

     

    Thank you



  • 2.  Re: SAML IssueInstant and AuthnInstant
    Best Answer

    Posted Aug 24, 2016 06:52 PM

    Hi,

     

    I believe this is violate the SAML specification if send IssueInstant as AuthnInstant

     

    Based on following documentation:

    http://docs.oasis-open.org/security/saml/Post2.0/saml-session-token/v1.0/csd01/saml-session-token-v1.0-csd01.html

     

    it mentioned:

     

    AuthnInstant [Required]

    The SA MUST set the AuthnInstant to the time authentication occurred, as defined in [SAML2Core]. The SC MAY use this value to implement a maximum login time.

     

    Therefore, I don't think we can do that.

     

    Increase the SP side timeout is something I can think of. As SP provide the service, I presume they can accomodate IDP (customer) request.

     

    Hope this helps.

     

    Regards,

    Kar Meng



  • 3.  Re: SAML IssueInstant and AuthnInstant

    Posted Aug 24, 2016 07:01 PM

    Hi Richard,

     

    You can manage the duration of the authentication session at the Service Provider. The SessionNotOnOrAfter attribute is an optional attribute that the IdP can include in the <AuthnStatement> of an assertion. The configuration for session validity is done at the IdP.

     

    Note: The SessionNotOnOrAfter parameter is different from the NotOnOrAfter parameter, which determines how long the assertion is valid.

     

    A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values, helping to ensure that sessions are not too short. If a user session becomes invalid, the user has to reauthenticate at the Identity Provider.

     

    Important! If CA SiteMinder® is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a CA SiteMinder® SP sets session timeouts from the realm timeout that corresponds to the SAML authentication scheme protecting the target resource.

     

    Follow these steps:

    1. Log in to the Administrative UI.
    2. Select the IdP->SP partnership you want to modify.
    3. Navigate to the SSO and SLO step.
    4. In the SSO section, select the option for the SP Session Validity Duration. If you select the customize option, you can select several options.

      Click Help for the field descriptions.

    5. Select the Confirm step after you complete your changes and click Finish.