OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Re: Clock Synchronization bwtween IDP and SP


Thanks Brian/Conor. That was exactly what I was looking for.

Siddhartha

2009/3/30 Cahill, Conor P <conor.p.cahill@intel.com>

NTP…. both should sync their clocks to a good network time source.

 

At the same time, the IdP should not depend upon exact synchronization and allow for some clock drift as well as propagation delay in its calculations (e.g. don’t depend upon the SP receiving the assertion within milliseconds of the IdP issuing it).     I tend to assume that clocks can be as much as 5 minutes off in my calculations.

 

If such a time synchronization drift is not acceptable in your deployment, you need to ensure through out of band policy that all parties maintain good time synchronization with well synced clocks (if not the same clock source).

 

Conor

 

From: Siddhartha Purkayastha [mailto:kpsiddharth@gmail.com]
Sent: Monday, March 30, 2009 3:56 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Re: Clock Synchronization bwtween IDP and SP

 

I figured the SAML response is totally based on the IDP clock. This means that there should be an explicit way to achieve clock synchronization between the IDP and SP.

Is there a standard way to achieve this?

Thanks.
Siddhartha

2009/3/30 Siddhartha Purkayastha <kpsiddharth@gmail.com>

Hello All,

I have been trying to find references on how IssueInstant of the SAML request and validity period of the assertion are synchronized, given that the 2 are generated in 2 different environments. I understand that the SP and IDP clocks need to be synchronized for security reasons as reuse of stolen assertions etc.

However, I wanted to ask a more specific question. Given a SAML request, does the IDP generate the validity period relative to the IssueInstant provided to it by the SP or is it based on its own system clock?

It would be great if someone could point me to documentation/specs on the above.

Thanks,
Siddhartha

 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]