> I've spent two days because one client application that use Java-Client had > the following error: > 2009-08-13 16:30:58,313 DEBUG > [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping > assertion that's not yet valid...> > Then I after lot of tests I found that error was due to unsyncronized time > between the client machine ad the server machine. > Reading Saml11TicketValidator.java source code I see that the tolerance it's > just one second, is it safe to change this class to have a toleration of one > minute ?
We have found in our testing of the SAML ticket validator that the default 1s is too strict for our environment in many cases. We typically increase to whatever is needed to account for reasonable clock drift. I would recommend using the smallest value needed to get past that error. I'm curious -- are you using NTP for time synchronization on both the CAS client and server? If not, you probably should be for a number of reasons. Even with NTP sync you may need to increase the tolerance of the SAML validator. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
