[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: validating forceAuthn: comparing to "now" vs comparing to "IssueInstant"
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2015-06-30 0:19:28
Message-ID: 11B94C74-312B-46DE-9E1B-86C1D65B5910 () osu ! edu
[Download RAW message or body]

On 6/29/15, 8:14 PM, "users on behalf of Eric Goodman" <users-bounces@shibboleth.net \
on behalf of Eric.Goodman@ucop.edu> wrote:



> The maxTimeSinceAuthn setting on the SP claims to measure the authnInstant vs. \
> "now". Is there a reason the comparison isn't vs. the "IssueInstant" on the \
> assertion itself? Seems like that might be a better way to check for a recent \
> authentication, while leaving the overall timeskew adjustment work elsewhere. I can \
> imagine cases where the timeskew on maxTimeSinceAuthn needs to be long enough to \
> cause concerns with measuring "currentness".

Never really thought about it.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]