Software AG Infrastructure 10.7 | Setting Up Security | Configuring the Assertion Validity Interval
 
Configuring the Assertion Validity Interval
When virtual machines that communicate with one another do not have Internet-based time synchronization, or when the same local network time synchronization is not applied regularly, the system clocks might drift. In such cases, errors with the validity of assertions start to occur although no changes were made to the machines, the software that runs on them, or the configurations. To avoid single sign-on assertion errors, you can use the com.softwareag.security.idp.assertion.skew parameter, which together with com.softwareag.security.idp.assertion.lifeperiod or com.softwareag.security.idp.SSOassertion.lifeperiod determines the total time an assertion is considered valid. For more information on this parameter, see Updating the Single Sign-On System for Your Product.
If many assertion errors occur, you can specify a large assertion skew value. However, be aware that large skew values increase the risk of security attacks. If the two machines have Internet-based time synchronization or if the same local network time synchronization is applied regularly, you can specify a value of 0 to minimize the risk.
At the asserting party, the single sign-on system uses the attributes described in the following table to determine the assertion validity interval.
Attribute
Description
IssueInstant
The system time when the assertion is generated.
NotBefore
The beginning of the assertion validity interval, which is obtained by subtracting the skew time from the IssueInstant value.
NotOnOrAfter
The end of the assertion validity interval, which is obtained by adding the skew time to the IssueInstant value and the lifeperiod value.
At the relying party, the single sign-on system calculates the values of the same attributes to determine whether an assertion is valid.
For example, at the assertion party, the single sign-on system can use the assertion system time, lifeperiod, and skew time to determine the NotBefore and NotOnOrAfter values, as described in the following table.
Attribute
Value
IssueInstant
9:00:00 GMT
SSO lifeperiod
5 seconds
Skew Time
30 seconds
NotBefore
8:59:30 GMT
NotOnOrAfter
9:00:35 GMT
This means that if the SSO assertion is generated at 09:00 GMT, the skew time is 30 seconds, and the lifeperiod is 5 seconds, the assertion is considered valid between 8:59:30 GMT and 9:00:35 GMT. The interval begins 30 seconds before the assertion is generated and ends 35 seconds after it is generated.
Then, the relying party applies the skew time to the NotBefore and NotOnOrAfter values of the received SSO assertion and calculates new NotBefore and NotOnOrAfter values, as described in the following table.
Attribute
Value
Skew Time
30 seconds
NotBefore
8:59:00 GMT
NotOnOrAfter
9:01:05 GMT
You can use the following formula to calculate the total assertion validity interval:
Total assertion validity interval = 2x Asserting party skew time + SSO validity duration + 2x Relying party skew time
If you apply the formula to the above example, the total assertion validity interval is 125 seconds.