Policy server version : Upgrade from 12.8 SP2 to 12.8 SP7

AuthnInstant time is always in GMT time zone when comes in from IDP.

SP does not change its value, only compares it and proceeds on the result.

If SiteMinder is SP, only receiving the assertion content, AuthnInstant value will only show up in policy server side smtracedefault.log.

In non-working scenario, AuthnInstant time did not get time zone conversion on 12.8sp7

AuthnInstant="yyyy-mm-28T18:51:18.028014"  ....becomes ...... (before skew) = Wed mm 28 18:51:18 EST yyyy

In working scenario, time zone conversion is conducted on the AuthnInstant time stamp.

AuthnInstant="yyyy-mm-26T15:58:16.677Z"   ....becomes ......  (before skew) = Mon mm 26 10:58:16 EST yyyy

This results to all transaction falls outside of skew time window (60 seconds), unless skew time was increased to cover entire 5 more hours.

The failure was due to particular IDP partner sends in assertion with unusual parameter value. e.g.  AuthnInstant="yyyy-mm-ddT18:51:18.028014", which is in microseconds format.

12.8sp7 policy server did not do time zone conversion on AuthnInstant value, due to microseconds format.

According to saml 2 specification, "All SAML time values have the type xs:dateTime, which is built in to the W3C XML Schema Datatypes specification [Schema2], and MUST be expressed in UTC form, with no time zone component.  SAML system entities SHOULD NOT rely on time resolution finer than milliseconds. Implementations MUST NOT generate time instants that specify leap seconds."

There was a change in how AuthnInstant was processed between version 12.8sp2 vs 12.8sp7.

However, the change SiteMinder made still adheres to SAML2 specification. That's why other partnerships still work.

The failure was due to the particular IDP partner sends in assertion with unusual parameter value AuthnInstant="yyyy-mm-ddT18:51:18.028014", which is in microseconds format.

The recommended solution is asking IDP partner to change its time stamp format to something like "yyyy-mm-26T15:58:16.677Z".