Expired session created when SessionNotOfOrAfter has already occured.

Description

The SP uses the SessionNotOnOrAfter attribute in the AuthnStatement to cap the lifetime of the SP session. If the time given in this attribute has already passed the SP creates a session and then immediately expires it. This causes a login loop as the SP will send the user back to the DS/IdP for authentication (since they don't have a valid SP session). The SP does not log, or otherwise indicate, what has occurred, only that a session was created and then expired.

This should only occur if there are clock synch issues, such as during installfest setups.

Environment

None

Activity

Scott Cantor June 23, 2009 at 12:46 PM

Closing after releases.

Scott Cantor October 2, 2008 at 2:52 PM

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=2894

Simplest fix is to add clock skew to IdP-provided time. Should allow skew to correct for issues during training-type situations, without affecting normal use.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created August 20, 2008 at 10:58 AM
Updated June 22, 2021 at 7:45 PM
Resolved October 2, 2008 at 2:52 PM