Customer has a use case where users are submitting an old, bookmarked SAMLRequest (authnrequest), and the Policy Server is generating an assertion, despite the age of the SAMLRequest. Is there a way to reject the SAMLRequest based on the age of the IssueInstant time?
No. This is expected behavior. The Policy Server does not evaluate the age of a SAMLRequest prior to generating an assertion.
Release : ALL
Component : FEDERATION
This would require customization. Creating an Assertion Generator Plugin (AGP) is one way to do this. Starting with release 12.8.5, the SAMLRequest data is made available to an AGP, allowing decisions to be made based on the IssueInstant time.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12_8_05.html#concept.dita_d393827c-a066-4ac5-b978-935984923f9f_samlenhancements