Configuring the Assertion Validity Interval
When virtual machines that communicate with one another do not have Internet-based time synchronization, or when the same local network time synchronization is not applied regularly, the system clocks might drift. In such cases, errors with the validity of assertions start to occur although no changes were made to the machines, the software that runs on them, or the configurations. To avoid single sign-on assertion errors, you can use the
com.softwareag.security.idp.assertion.skew parameter, which together with
com.softwareag.security.idp.assertion.lifeperiod or
com.softwareag.security.idp.SSOassertion.lifeperiod determines the total time an assertion is considered valid. For more information on this parameter, see
Updating the Single Sign-On System for Your
Product.
If many assertion errors occur, you can specify a large assertion skew value. However, be aware that large skew values increase the risk of security attacks. If the two machines have Internet-based time synchronization or if the same local network time synchronization is applied regularly, you can specify a value of 0 to minimize the risk.
At the asserting party, the single sign-on system uses the attributes described in the following table to determine the assertion validity interval.
Attribute | Description |
IssueInstant | The system time when the assertion is generated. |
NotBefore | The beginning of the assertion validity interval, which is obtained by subtracting the skew time from the IssueInstant value. |
NotOnOrAfter | The end of the assertion validity interval, which is obtained by adding the skew time to the IssueInstant value and the lifeperiod value. |
At the relying party, the single sign-on system calculates the values of the same attributes to determine whether an assertion is valid.
For example, at the assertion party, the single sign-on system can use the assertion system time, lifeperiod, and skew time to determine the NotBefore and NotOnOrAfter values, as described in the following table.
Attribute | Value |
IssueInstant | 9:00:00 GMT |
SSO lifeperiod | 5 seconds |
Skew Time | 30 seconds |
NotBefore | 8:59:30 GMT |
NotOnOrAfter | 9:00:35 GMT |
This means that if the SSO assertion is generated at 09:00 GMT, the skew time is 30 seconds, and the lifeperiod is 5 seconds, the assertion is considered valid between 8:59:30 GMT and 9:00:35 GMT. The interval begins 30 seconds before the assertion is generated and ends 35 seconds after it is generated.
Then, the relying party applies the skew time to the NotBefore and NotOnOrAfter values of the received SSO assertion and calculates new NotBefore and NotOnOrAfter values, as described in the following table.
Attribute | Value |
Skew Time | 30 seconds |
NotBefore | 8:59:00 GMT |
NotOnOrAfter | 9:01:05 GMT |
You can use the following formula to calculate the total assertion validity interval:
Total assertion validity interval = 2x Asserting party skew time + SSO validity duration + 2x Relying party skew time
If you apply the formula to the above example, the total assertion validity interval is 125 seconds.