ValidateSAMLAssertion NotBefore condition violatio...

harmeet-sra · 03-04-2020 04:05 AM

Hello There,

I am using ValidateSAMLAssertion policy to validate SAML assertion and failing because of NotBefore condition violation.

When checked there is time different of 20 milliseconds where Apigee server is behind.

Is there any option in this policy to have some buffer to handle milliseconds of clock skew?

Thanks and Regards

Harmeet

dchiesa1

No.

unfortunately,

Today there is no possibility to configure the ValidateSAMLAssertion policy to handle a clock skew, even one as small as 20 milliseconds.

This is a bug.

ref: b/150868981

harmeet-sra

@Dino, when you say it's a bug, has this been already raised with Apigee internally? or do I need to request this?

Thanks

Harmeet

dchiesa1

It is a bug and the reference I gave identifies the bug. You can contact Apigee support to ask to them to track the bug, on your behalf (I guess notify you when the status of the bug changes).

As far as I know the status of the bug is still "new". (It has not been fixed)

The workaround is to get those clocks synchronized, or to introduce a small delay between the time the assertion is generated, and the time the generated token is given to the client. Just wait a bit, and you would avoid the NotBefore violation.

harmeet-sra

Thanks @Dino

I'll check with support team.

Although in my case we are using ADFS which supports clockSkew setting which has resolved the issue.

Regards

Harmeet

ValidateSAMLAssertion NotBefore condition violation