How to Deny Assertion Generation Based on SAMLRequest IssueInstant Time

book

Article ID: 211363

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Customer has a use case where users are submitting an old, bookmarked SAMLRequest (authnrequest), and the Policy Server is generating an assertion, despite the age of the SAMLRequest.  Is there a way to reject the SAMLRequest based on the age of the IssueInstant time?

Cause

No.  This is expected behavior.  The Policy Server does not evaluate the age of a SAMLRequest prior to generating an assertion.

Environment

Release : ALL

Component : FEDERATION

Resolution

This would require customization.  Creating an Assertion Generator Plugin (AGP) is one way to do this.  Starting with release 12.8.5, the SAMLRequest data is made available to an AGP, allowing decisions to be made based on the IssueInstant time.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12_8_05.html#concept.dita_d393827c-a066-4ac5-b978-935984923f9f_samlenhancements