OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: IDP clock skew issue

 It is recommended that IDP & SP clocks be synced with some central/reliable time servers (like NTP).
But still there could be cases when the IDP clock could be faster (by say couple of seconds). In such it is advised to add some clock skew (couple of seconds seconds) to the SP clock so that Assertion's "NotBefore" conditions validation by SP doesn't fail.

I need your advise on the following regarding clock skew:
1) Should we also add the clock skew to SP's clock before checking "NotOnAfter" conditions or is not needed in this case (because NotOnAfter will occur couple after a couple of minutes of NotBefore)?
2) If there is a case where the IDP clock could be slower, should we subtract clock skew from SP's clock before doing NotBefore and NotOnAfter validations? I have not seen people complaining about this issue.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]