Minimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5]

Watch

Save as PDF

Share this page

Feedback

HomeYokohama Platform securityPlatform SecurityHardening settingsAuthenticationMinimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5]

Table of Contents

Minimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5]

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedJan 30, 2025
1 minute read

Yokohama
Platform Security

Configure this property to add a grace period in which SAML requests and responses are considered valid.

This property adds a grace period during which SAML requests and responses are considered valid. The property value represents the number of seconds to add to the NotBefore and NotOnOrAfter constraints to account for time differences between the Identity Provider (IdP) clock, and Service Provider (SP) clock. These constraints defend against replay attacks by denying requests that aren’t made within the specified time frame. If the IdP and SP clocks are significantly different, then the network latency may result in the SAML request being unauthorized.

More information

Search:


Attribute	Description
Configuration name	glide.authenticate.sso.saml2.clockskew
Configuration type	System Properties (/sys_properties_list.do)
Data type	string
Recommended value	less than 60
Default value	180
Category	Authentication
Security risk	Severity score: 7.5 CVSS score: High Security risk details: Setting the property to a value of 60 or higher may prevent the constraints from defending against replay attacks.
Dependencies and prerequisites	None

Yokohama Platform security

Filters

Versions

Products