Marvin, What have you found to be a reasonable default. I think it would be good if our default was reasonable ;-)
Cheers, Scott On Fri, Aug 14, 2009 at 9:21 AM, Marvin Addison <[email protected]>wrote: > > I've spent two days because one client application that use Java-Client > had > > the following error: > > 2009-08-13 16:30:58,313 DEBUG > > [org.jasig.cas.client.validation.Saml11TicketValidator] - <skipping > > assertion that's not yet valid...> > > Then I after lot of tests I found that error was due to unsyncronized > time > > between the client machine ad the server machine. > > Reading Saml11TicketValidator.java source code I see that the tolerance > it's > > just one second, is it safe to change this class to have a toleration of > one > > minute ? > > We have found in our testing of the SAML ticket validator that the > default 1s is too strict for our environment in many cases. We > typically increase to whatever is needed to account for reasonable > clock drift. I would recommend using the smallest value needed to get > past that error. I'm curious -- are you using NTP for time > synchronization on both the CAS client and server? If not, you > probably should be for a number of reasons. Even with NTP sync you > may need to increase the tolerance of the SAML validator. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
