Layer 7 Access Management

Expand all | Collapse all

SAML assertion is rejected by SP because of timestamp on AuthnStatement AuthnInstant is too old

  • 1.  SAML assertion is rejected by SP because of timestamp on AuthnStatement AuthnInstant is too old

    Posted 07-19-2018 11:55 AM

    Hello All,

     

    we are using CA SiteMinder as our IDP for our federations. we use siteminder web agent option pack in our IDP environment. For a particular partnership SAML assertions that were sent to SP by our IDP are getting rejected because of AuthnStatement AuthnInstant is tool old. This particular SAML assertion is generated on 07/17/2018 13:59:27 but the timestamp of AuthnStatement AuthnInstant is set to 07/03/2018 14:58:27. we are not sure why AuthnStatement AuthnInstant timestamp is set that way. 

     

    <ns2:AuthnStatement AuthnInstant="2018-07-03T14:58:27Z" SessionIndex="pII5eRFB8NEiOVlQLQaHJMa+pvk=XNhWIw==" SessionNotOnOrAfter="2018-07-18T17:59:57Z">
    <ns2:AuthnContext>
    <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
    </ns2:AuthnContext>
    </ns2:AuthnStatement>

     

    When we try accessing the same partnership in a "New Browser Session" it setting the actual access timestamp on AuthnStatement AuthnInstant and SP is able to consume the assertion. But when we try to access the same partnership in a "New window" or "New Tab" we ending up with timestamp  of AuthnStatement AuthnInstant is set to 07/03/2018 14:58:27. we tried clearing all cookies, browsing history and Cache from the browser and even tried close the browser and re-open it. But we still having the issue.

     

    Any thoughts?

     

    Environment:

    SM WAOP : 12.50

    SMPS: 12.52 SP1 CR06

     

    Thank you,

    Naveen



  • 2.  Re: SAML assertion is rejected by SP because of timestamp on AuthnStatement AuthnInstant is too old

    Posted 07-20-2018 03:13 AM

    Hi Naveen,

     

    Refer : SAML IssueInstant and AuthnInstant 

     

    http://docs.oasis-open.org/security/saml/Post2.0/saml-session-token/v1.0/csd01/saml-session-token-v1.0-csd01.html

     it mentioned:

     

    AuthnInstant [Required]

    The SA MUST set the AuthnInstant to the time authentication occurred, as defined in [SAML2Core]. The SC MAY use this value to implement a maximum login time.

     

     

    Regards,

    Leo Joseph.



  • 3.  Re: SAML assertion is rejected by SP because of timestamp on AuthnStatement AuthnInstant is too old

    Posted 07-23-2018 04:29 PM

    Hi Leo,

     

    According to SAML documentation, SA represents Session Authority and SC represents Session consumer. In our case we are IDP and using CA SiteMinder and a third party vendor is acting a SP. So according to me SA=IDP and SC=SP. Correct me if i am wrong.

     

    Thank you,

    Naveen