Ryan
Reputation: 591
Where does the SAML NotOnOrAfter Condition Originate?
I have a client where the NotOnOrAfter condition in the SAML response is always 5 minutes after login. The IdP is Okta and the SP is Shibboleth SP 3. I am not seeing anything on the Shibboleth side that adds this condition. I'm being told Okta isn't sending this, but I'm skeptical.
I even tried adding Ignore PolicyRules for it, but we still have a 5 minute timeout.
<PolicyRule type="Ignore">saml2:NotOnOrAfter</PolicyRule>
Does the IdP or SP add that timeout? Where can it be changed?
Here is the excerpt from the SAML response:
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userid</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_bb4020da3209979ab2c018077ec29894"
NotOnOrAfter="2023-02-07T21:25:38.782Z"
Recipient=https://sitename.com/Shibboleth.sso/SAML2/POST/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
NotBefore="2023-02-07T21:15:38.782Z"
NotOnOrAfter="2023-02-07T21:25:38.782Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sitename.com/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>```
Upvotes: 0
Views: 613
Answers (1)
Philipp Grigoryev
Reputation: 2143
I might be wrong, but it should correspond to your authentication policy (sign-on) session lifetime applied during user authentication.
Upvotes: 0
Related Questions
- React fetch API data to component
- React - Passing fetched data from API as props to components
- Reactjs fetch data from Api?
- reactjs : Fetching external data
- React: How to get response from server which uses data from http web request
- How to fetch data from api and pass it as props
- how to fetch data from back-end
- How to get data for a component
- Fetch API Data in React
- Where to fetch data in React component