Access Manager SAML Service Provider accepting SAML assertions that have recently expired
This document (7007213) is provided subject to the disclaimer at the end of this document.
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager setup as a SAML Service Provider (SP) to consume assertions from a
3rd party SAML Identity (IDP) Server using the SAML1 protocol. After the user authenticates to
the SAML1 IDP server, this server generates a SAML1 assertion for the user to send to the SAML
SP so that user single signs on to to the SAML SP. Such a SAML assertion includes a <Conditions>
tag defining a time window the assertion is valid for (NotBefore and
<saml:Conditions NotBefore="2010-11-16T15:13:25Z" NotOnOrAfter="2010-11-16T15:23:25Z">
With Access Manager 3.1.2 IR2, when consuming the assertion from the IDP, the SP accepts it even
though we are a minute outside the scope ie. if it is no longer valid. When sending an expired
SAML message, the SP validation should fail yet it succeeds as long as we are within 5 minutes of
the time defined in the NotOnOrAfter tag. The risk is that user can have access to protected
resources using an expired SAML message.
The 3.1.2 IR3 patch has a web.xml (/opt/novell/nids/lib/webapp/WEB-INF/ directory) parameter that allows you define how long the SAML SP waits after the NotOnOrAfter timestamps expire before deciding whether the assertion is invalid. If we set the SAMLAssertionWindow to be 0, then we expire immediately after the NotOnOrAfter timestamp. If no web.xml entry exists, the default period the assertion is still considered valid by Access Manager will be 5 minutes after the NotOnOrAfter time.
The solution is available for both SAML1 and SAML2 protocols:
a) For SAML1
b) For SAML2
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7007213
- Creation Date:16-NOV-10
- Modified Date:26-APR-12
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback