You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In VerifyAssertionConditions in validate.go, notBefore and notOnOrAfter are doing time comparison finer than milliseconds.
According to SAML Core spec
1.3.3 Time Values
All SAML time values have the type xs:dateTime, which is built in to the W3C XML Schema Datatypes
specification [Schema2], and MUST be expressed in UTC form, with no time zone component.
SAML system entities SHOULD NOT rely on time resolution finer than milliseconds. Implementations
MUST NOT generate time instants that specify leap seconds.
TIme comparisons SHOULD NOT rely on time resolution finer than milliseconds.
In our case, the now clock returned 20:08:46.518691 and the notBefore SAML assertion had 20:08:46.55 which triggered the warning. The library should at most compare one significant digit after the seconds dot.
This is a major issue that causes intermittent login failure for users.
The text was updated successfully, but these errors were encountered:
In
VerifyAssertionConditionsinvalidate.go,notBeforeandnotOnOrAfterare doing time comparison finer than milliseconds.According to SAML Core spec
TIme comparisons SHOULD NOT rely on time resolution finer than milliseconds.
In our case, the
nowclock returned20:08:46.518691and thenotBeforeSAML assertion had20:08:46.55which triggered the warning. The library should at most compare one significant digit after the seconds dot.This is a major issue that causes intermittent login failure for users.
The text was updated successfully, but these errors were encountered: