Expired session created when SessionNotOfOrAfter has already occured.
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
The SP uses the SessionNotOnOrAfter attribute in the AuthnStatement to cap the lifetime of the SP session. If the time given in this attribute has already passed the SP creates a session and then immediately expires it. This causes a login loop as the SP will send the user back to the DS/IdP for authentication (since they don't have a valid SP session). The SP does not log, or otherwise indicate, what has occurred, only that a session was created and then expired.
This should only occur if there are clock synch issues, such as during installfest setups.
Simplest fix is to add clock skew to IdP-provided time. Should allow skew to correct for issues during training-type situations, without affecting normal use.
The SP uses the SessionNotOnOrAfter attribute in the AuthnStatement to cap the lifetime of the SP session. If the time given in this attribute has already passed the SP creates a session and then immediately expires it. This causes a login loop as the SP will send the user back to the DS/IdP for authentication (since they don't have a valid SP session). The SP does not log, or otherwise indicate, what has occurred, only that a session was created and then expired.
This should only occur if there are clock synch issues, such as during installfest setups.