In the SAML2 specification there are several places in an assertion where it is possible to specify a lifetime.
- The
<SubjectConfirmationData>
element contains aNotOnOrAfter
attribute. - The
<Conditions>
element contains aNotOnOrAfter
attribute. - The
<AuthnStatement>
element contains aSessionNotOnOrAfter
attribute.
What is the meaning of each of them? How do they relate to each other?
Specifically, which of them must be checked when...
- ... consuming an incoming Saml2Response using Web SSO
- ... establishing an application session in the SP
- ... refreshing (extending) an application session in the SP
- ... forwarding an assertion to a web service, to act on behalf of the subject (as described by @Thuan)
- ... issuing a single logout request to the idp, to ensure that the idp still knows of the session?
Each of the NotOnOrAfters are described in the SAML2 core specification. I've included the parts that I can find that describes these attributes here.
SubjectConfirmationData/@NotOnOrAfter
A time instant at which the subject can no longer be confirmed. The time value is encoded in UTC, as described in Section 1.3.3.
Note that the time period specified by the optional NotBefore and NotOnOrAfter attributes, if present, SHOULD fall within the overall assertion validity period as specified by the element's NotBefore and NotOnOrAfter attributes. If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.
Conditions/@NotOnOrAfter
Specifies the time instant at which the assertion has expired. The time value is encoded in UTC, as described in Section 1.3.3.
The NotBefore and NotOnOrAfter attributes specify time limits on the validity of the assertion within the context of its profile(s) of use. They do not guarantee that the statements in the assertion will be correct or accurate throughout the validity period. The NotBefore attribute specifies the time instant at which the validity interval begins. The NotOnOrAfter attribute specifies the time instant at which the validity interval has ended. If the value for either NotBefore or NotOnOrAfter is omitted, then it is considered unspecified. If the NotBefore attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), then the assertion is Valid with respect to conditions at any time before the time instant specified by the NotOnOrAfter attribute. If the NotOnOrAfter attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions from the time instant specified by the NotBefore attribute with no expiry. If neither attribute is specified (and if any other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions at any time.
If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.
AuthnStatement/@SessionNotOnOrAfter
Indicates an upper bound on sessions with the subject derived from the enclosing assertion. The time value is encoded in UTC, as described in Section 1.3.3. There is no required relationship between this attribute and a NotOnOrAfter condition attribute that may be present in the assertion. It's left to profiles to provide specific processing rules for relying parties based on this attribute.