Re: [saml-dev] IDP clock skew issue

[Vasu Y <vyal2k@yahoo.com>]

Here is what i understood from this your reply. Let me know if i understood correctly.

Let's say if the Assertion contains 11:30 AM as NotBefore and 11:35 AM as NotOnAfter and SP sets a clock-skew of 2 minutes (120 seconds).

1) Case 1 - SP's current time is 11:27 AM

NotBefore check will fail as SP will add 2 minutes to its current time (11:29 < 11:30).

NotOnAfter condition will pas as SP will subtract 2 from its current time (11:25 < 11:35).

So, clockSkew should be increased to 3 minutes (or more) for the checks to succeed.

2) Case 2 - SP's current time is 11:33 AM

NotBefore check will pass as SP will add 2 minutes to its current time (11:35 > 11:30).

NotOnAfter condition will pas as SP will subtract 2 from its current time (11:31 < 11:35).

---

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Vasu Y <vyal2k@yahoo.com>; "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Sent: Monday, 7 April 2014 10:12 PM
Subject: Re: [saml-dev] IDP clock skew issue

On 4/7/14, 12:26 PM, "Vasu Y" <vyal2k@yahoo.com> wrote:

>I need your advise on the following regarding clock skew:
>1) Should we also add the clock skew to SP's clock before checking
>"NotOnAfter" conditions or is not needed in this case (because NotOnAfter
>will occur couple after a couple of minutes of NotBefore)?

You need skew any time you check a timestamp, in either direction.

>2) If there is a case where the IDP clock could be slower, should we
>subtract clock skew from SP's clock before doing NotBefore and NotOnAfter
>validations? I have not seen people complaining about this issue.

I don't understand what that means. Skew is applied in the direction of
comparison of the test, so if it's a check for NotOnOrAfter, you substract
skew from the current time, and if you check NotBefore, you add to it. You
err in the direction of validity.

-- Scott