End of Life Notice

Icon

As of June 30, 2010, Shibboleth v1.3 is no longer supported. All deployments should upgrade to Shibboleth v2. This documentation is provided for historical purposes only.

Skip to end of metadata
Go to start of metadata

SAML, like most security protocols, relies on correct time synchronization between servers to work properly. Clients are generally not required to be well-configured, but servers MUST be synchronized to within a few minutes of each other. In particular, an SP must be within a few minutes of the IdP or various errors can result, and the browser user will see an error message mentioning clock skew or expiration of some sort.

The exact tolerance is set by the clockSkew attribute in the root element of the ShibbolethXml file. It is set in seconds and defaults to a 3 minute window on either side.

Errors resulting cannot be fixed except by adjusting one or both parties' clock. Usually one party is correct and the other is not, but it is impossible to know which without looking at a correct time source.

Proper Shibboleth installation REQUIRES a good time source using NTP or some other time protocol. Most operating systems can be configured to synchronize against a correct time source.

If you're running Windows, this article might be helpful: http://support.microsoft.com/kb/816042

  • No labels