RE: [saml-dev] IDP clock skew issue

["Lucas, Mike" <Mike.Lucas@gwl.ca>]

I also did not understand the question. Usually the NotBefore and the NotOnOrAfter will be set by the issuer to some reasonable value so that a small amount of clock skew will not cause problems. Are you saying there is a particular system with a *known* amount of clock skew that you want to adjust for?

One useful thing I have also done is to spit out a warning (log message / email) if the NotBefore or NotOnOrAfter validation check is close to failing. This can help you fix clock skew caused by faulty server time prior to it becoming a problem.

-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@osu.edu] 
Sent: April 7, 2014 11:42 AM
To: Vasu Y; saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] IDP clock skew issue

On 4/7/14, 12:26 PM, "Vasu Y" <vyal2k@yahoo.com> wrote:

>I need your advise on the following regarding clock skew:
>1) Should we also add the clock skew to SP's clock before checking 
>"NotOnAfter" conditions or is not needed in this case (because 
>NotOnAfter will occur couple after a couple of minutes of NotBefore)?

You need skew any time you check a timestamp, in either direction.

>2) If there is a case where the IDP clock could be slower, should we 
>subtract clock skew from SP's clock before doing NotBefore and 
>NotOnAfter validations? I have not seen people complaining about this issue.

I don't understand what that means. Skew is applied in the direction of comparison of the test, so if it's a check for NotOnOrAfter, you substract skew from the current time, and if you check NotBefore, you add to it. You err in the direction of validity.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org