|
|
|
For Single Sign-on, the values of the SSO Validity Duration (Validity Duration field set on the SSO tab) and Skew Time instruct how the assertion generator calculates the total time that an assertion is valid. In the assertion document, the beginning and end of the validity interval is represented by the NotBefore and NotOnOrAfter values.
Note: The SSO Validity Duration is a different value from the SLO Validity Duration.
To determine the beginning of the validity interval, the assertion generator takes the system time when the assertion is generated and sets the IssueInstant value in the assertion according to this time. It then subtracts the Skew Time value from the IssueInstant value. The resulting time becomes the NotBefore value.
To determine the end of the validity interval, the assertion generator adds the Validity Duration value and the Skew Time together. The resulting time becomes the NotOnOrAfter value. Times are relative to GMT.
For example, an assertion is generated at the Identity Provider at 1:00 GMT. The skew time is 30 seconds and the validity duration is 60 seconds, making the assertion validity interval between 12:59:30 GMT and 1:01:30 GMT. This interval begins 30 seconds prior to the time the assertion was generated and ends 90 seconds afterward.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |