SAML assertions contain conditions that should be veri?¬?ed.
These include NotBefore and NotOnOrAfter attributes:
NotOnOrAfter="2007-09-29T04:04:13.414Z">
These attributes specify the time span for which the token is
valid, encoded in UTC. A token processor should verify these
values to make sure the token has not expired. In some cases, a
website may want to allow for a time skew. This can be useful
because computer clocks are not perfectly in sync, which could
erroneously cause a token to fail validation. Depending on the
environment, allowing for a time skew between ?¬?ve to ten minutes
is probably reasonable.
Another condition that can be added to a SAML assertion
is an audience restriction condition using
AudienceRestrictionCondition (see Figure 4-5). This can
be used to specify the relying party for which the token was gen-
The integrity of the
token needs to be
veri?¬?ed to be sure it
is from the correct
issuer
Several checks
need to be made to
establish the validity
of the token
242 CardSpace Implementation
erated. If an audience restriction condition is present in the token,
the website should verify that it was the intended recipient.
Pages:
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366