Customer has a use case where users are submitting an old, bookmarked SAMLRequest (authnrequest), and the Policy Server is generating an assertion, despite the age of the SAMLRequest. Is there a way to reject the SAMLRequest based on the age of the IssueInstant time?
Release : ALL
Component : FEDERATION
No. This is expected behavior. The Policy Server does not evaluate the age of a SAMLRequest prior to generating an assertion.
This would require customization. Creating an Assertion Generator Plugin (AGP) is one way to do this. Starting with release 12.8.5, the SAMLRequest data is made available to an AGP, allowing decisions to be made based on the IssueInstant time.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12_8_05.html#concept.dita_d393827c-a066-4ac5-b978-935984923f9f_samlenhancements