Previous Topic: Configure a SAML 1.x AssertionNext Topic: Generate an Assertion for One Time Use


Assertion Validity for Single Sign-on

Based on the values of the Validity Duration and Skew Time, the assertion generator calculates the total time that the assertion is valid. In the assertion document, the NotBefore and NotOnOrAfter values represent the beginning and end of the validity interval.

To determine the beginning of the validity interval, the assertion generator takes the system time when the assertion is generated. The assertion generator sets the IssueInstant value in the assertion according to this time. The assertion generator subtracts the Skew Time value from the IssueInstant value. The resulting time becomes the NotBefore value.

To determine the end of the validity interval, the assertion generator adds the Validity Duration value and the Skew Time together. The resulting time becomes the NotOnOrAfter value.

For example, an assertion is generated at the producer at 1:00 GMT. The skew time is 30 seconds and the validity duration is 60 seconds, making the assertion validity interval between 12:59:30 GMT and 1:01:30 GMT. This interval begins 30 seconds before the time the assertion was generated and ends 90 seconds afterward.

Note: Times are relative to GMT.