SP clock skew for Weblogic
Joseph Valerio
We are implementing local weblogic SPs. After many trials we have finally succeeded with authentication, most of the time. The issue is that our SPs are receiving the response before it is valid, ie. the not-before timestamp is in the future. Our servers are running on windows, and Windows Time Services don't cut the mustard. We have installed real NTP services and brought tolerances down to acceptable levels where the probability of a failure is very low, but not zero. Weblogic, I mean Oracle, has settings for time skew in their IdP impl, not there SP impl. I know that shib's SP allows for such a skew and I completely agree that this setting belongs in the SP, but is there anything in the SAML 2.0 specification that hints to such a practice. Oracle is taking a stance that they are SAML 2.0 compliant and this functionality would be a feature request, but if I had the spec behind me, I might be able to get it in as a defect and have a quicker time to implementation.
Thanks in advance,
- Joe
Joseph Valerio
Senior Solution Architect
Yale University
Shared Solution Group
Information Technology Services
phone: 203-432-1196
email: joseph....@yale.edu
smail: 25 Science Park, New Haven, CT 06511
Cantor, Scott
> I know that shib's SP allows
> for such a skew and I completely agree that this setting belongs in
> the SP, but is there anything in the SAML 2.0 specification that
> hints to such a practice.
No, this is in the domain of "how do you implement a protocol that
requires clock synchronization?". I wouldn't expect the Kerberos RFC to
say anything about it either.
That said, there's never going to be an implementation guidelines document
for SAML, so failing that, my suggestion would be that you send a comment
to the security-services-comment list suggesting an errata to the spec
about it. We add SHOULDs for implementers when it makes sense.
-- Scott
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Russell J Yount
8.2. Recommended KDC Values
Following is a list of recommended values for a KDC configuration.
Minimum lifetime 5 minutes
Maximum renewable lifetime 1 week
Maximum ticket lifetime 1 day
Acceptable clock skew 5 minutes
Empty addresses Allowed
Proxiable, etc. Allowed
-Russ
-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, November 09, 2011 11:34 AM
To: us...@shibboleth.net
Subject: Re: SP clock skew for Weblogic
On 11/9/11 11:01 AM, "Joseph Valerio" <joseph....@yale.edu> wrote:
> I know that shib's SP allows
> for such a skew and I completely agree that this setting belongs in
> the SP, but is there anything in the SAML 2.0 specification that
> hints to such a practice.
No, this is in the domain of "how do you implement a protocol that requires clock synchronization?". I wouldn't expect the Kerberos RFC to say anything about it either.