ASSERTION_SUBJECT_CONFIRM_NOTONORAFTER not respected

Question

Hi!
I'm using APM to implement a SAML SP.
APM will successfully validate a SAMLResponse even if the time specified by NotOnOrAfter in the SubjectConfirmationData element has passed. Shouldn't this fail? Is there a setting I'm missing?
From my log:
Apr 28 11:19:25 bigip-test debug apd[11857]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "parseAssertion()" line: 3578 Msg:  ASSERTION_SUBJECT_CONFIRM_NOTONORAFTER: (24) 2015-04-27T12:01:59.204Z

Apr 28 11:19:25 bigip-test debug apd[11857]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 4614 Msg:  Verification of SAML Signature 1 is Successfull

Notice from the log timestamps that the system time during message verification is well after ASSERTION_SUBJECT_CONFIRM_NOTONORAFTER.

kunjan · Answer

It is a bug. You may want to raise a support case and get the fix.&nbsp;

ingebrigt_maurs · Answer

Bug ID for this is BZ520610 &nbsp;

ingebrigt_maurs · Answer

Any progress on this?&nbsp;
NotOnOrAfter is in there to ensure SAML tokens do not remain valid forever, so IMHO a pretty important security feature.&nbsp;

Forum Discussion

ASSERTION_SUBJECT_CONFIRM_NOTONORAFTER not respected

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Cisco TACACS+ Config on ISE LTM Pair

Related Content

LTM - Connection limit not respected

Management GUI - session timeout not being respected

Is SAML 2.0 ForceAuthn respected?

Monitor log down and up respectively

FQDN Objects not respecting the DNS Interval

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS