CAS authentication timestamps with trailing zeros
61 views
Skip to first unread message
Al Faller
Apr 1, 2026, 9:55:09 AMApr 1
to CAS Community
Hello CAS community,
I’ve run into an interoperability issue while integrating Apereo CAS 7.0 with SimpleSAMLphp and wanted to ask for clarification and/or guidance.
To note up front: I’m aware that CAS 7.0 is out of date, and part of this inquiry is to determine whether this behavior is known, intentional, configurable, or addressed in more recent CAS versions.
The issue relates to authentication timestamps and XML Schema dateTime formatting. SimpleSAMLphp’s xml-common module performs strict validation of xs:dateTime values. Per XML Schema Part 2: Datatypes, §3.2.7.2, the fractional seconds component must not contain trailing zeros.
In practice, I’m observing CAS 7.0 emit authentication timestamps with nanosecond-level precision that includes trailing zeros, for example:
2026-03-31T19:41:01.457286900Z
In this case, the fractional seconds (.457286900) end with trailing zeros, which causes schema validation to fail in SimpleSAMLphp. The presence of trailing zeros at higher precision appears to violate the XML Schema dateTime lexical rules as interpreted by SimpleSAMLphp.
Because of this, authentication fails unless downstream XML validation is relaxed or custom timestamp normalization logic is introduced.
I’m hoping to better understand a few things:
Any insight, historical context, or pointers to configuration options or fixes—especially in newer CAS releases—would be greatly appreciated.
Thanks for your time,
I’ve run into an interoperability issue while integrating Apereo CAS 7.0 with SimpleSAMLphp and wanted to ask for clarification and/or guidance.
To note up front: I’m aware that CAS 7.0 is out of date, and part of this inquiry is to determine whether this behavior is known, intentional, configurable, or addressed in more recent CAS versions.
The issue relates to authentication timestamps and XML Schema dateTime formatting. SimpleSAMLphp’s xml-common module performs strict validation of xs:dateTime values. Per XML Schema Part 2: Datatypes, §3.2.7.2, the fractional seconds component must not contain trailing zeros.
In practice, I’m observing CAS 7.0 emit authentication timestamps with nanosecond-level precision that includes trailing zeros, for example:
2026-03-31T19:41:01.457286900Z
In this case, the fractional seconds (.457286900) end with trailing zeros, which causes schema validation to fail in SimpleSAMLphp. The presence of trailing zeros at higher precision appears to violate the XML Schema dateTime lexical rules as interpreted by SimpleSAMLphp.
Because of this, authentication fails unless downstream XML validation is relaxed or custom timestamp normalization logic is introduced.
I’m hoping to better understand a few things:
- Is emitting high‑precision timestamps with trailing zeros expected or intentional behavior in CAS 7.0?
- Has this behavior changed, been normalized, or become configurable in newer CAS versions?
- Is CAS generally designed to rely on consumer-side tolerance for xs:dateTime parsing rather than strict XML Schema compliance?
Any insight, historical context, or pointers to configuration options or fixes—especially in newer CAS releases—would be greatly appreciated.
Thanks for your time,
Al
Ray Bon
Apr 1, 2026, 11:27:37 AMApr 1
to cas-...@apereo.org
Al,
In 7.3, I see time stamps with only 3 decimals. The one exception is the cas authn instant attribute, but that should not cause a problem.
I do see time stamps with a trailing 0, such as notonorafter.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Al Faller <fal...@gmail.com>
Sent: April 1, 2026 06:35
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS authentication timestamps with trailing zeros
Sent: April 1, 2026 06:35
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS authentication timestamps with trailing zeros
|
You don't often get email from fal...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/25d7db61-38bc-4518-9b9d-cf7bcf44da93n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/25d7db61-38bc-4518-9b9d-cf7bcf44da93n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages