AzureAD SAML response

Question

Does AzureAD support SessionNotOnOrAfter attribute of "AuthnStatement" section in SAML response? If not, can we consider NotBefore and NotOnOrAfter attributes of "Conditions" section as valid session time window (session length)?

score 2 · Answer 1 · answered Jul 29 '19 at 15:05

As of today, AzureAD does not support SessionNotOnOrAfter attribute and does not allow to configure session lifetimes derived from the SAML Response. The "NotOnOrAfter" attribute should not be used to control session lifetime, because it has totally different meaning and purpose. See NotOnOrAfter in SubjectConfirmationData and Conditions and SessionNotOnOrAfter.

score 1 · Accepted Answer · answered Jul 12 '18 at 23:42

Yes, The NotBefore and NotOnOrAfter attributes specify the interval during which the assertion is valid.

<Conditions NotBefore="2013-03-18T07:38:15.128Z" NotOnOrAfter="2013-03-18T08:48:15.128Z">
      <AudienceRestriction>
        <Audience>https://www.contoso.com</Audience>
      </AudienceRestriction>
</Conditions>

The value of the NotBefore attribute is equal to or slightly (less than a second) later than the value of IssueInstant attribute of the Assertion element. Azure AD does not account for any time difference between itself and the cloud service (service provider), and does not add any buffer to this time.
The value of the NotOnOrAfter attribute is 70 minutes later than the value of the NotBefore attribute.

Reference: Single Sign-On SAML protocol

AzureAD SAML response

2 Answers2