Minimize SAML "notBefore" or "notOnOrAfter" Constraint Duration and ignore cache on property

matefesus · ‎03-14-2025

My job is to minimize the SAML "notBefore" or "notOnOrAfter" constraint duration. I can achieve this using the property mentioned below. The default value was 180, and according to the documentation I found the recommended value is less than 60.

Can someone confirm if this value is appropriate, or should I set it even lower? Also, should I keep "Ignore Cache" enabled?

How can I test this configuration, and what impact might it have on the system?

Thank you for your help!

Doc: https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security-center/re...

Ambuj Tripathi · ‎07-08-2025

Hi @matefesus

This property depends upon multiple factors.

1: The actual time difference b/w SP and IDP servers.

2: The time it takes to issue the response in the IDP side and consume it in the SP.

Whatever value is set in the property, the SAML response processor in the SP side adds it to notOnOrAfter before comparing it with current time on its server. Same goes with notBefore.

In a nutshell, current ± clock skew is the actual range it compares with the incoming parameters in the SAML response, so it gets the range of 2*(Clock Skew prop value). This is the reason its advised to set this property to a lower value.

However, in practical cases, there can be actually some seconds/minutes of time difference in the SP and IDP. So this proeprty should be set accordingly so that the time difference can be considered while validating the SAML response.

"Ignore Cache" is asked while modifying the glide property values. This is to avoid the system wide cache flush triggered after setting the property and cache rebuilding & causing the slowness in the instance. This can be avoided by setting the ignore cache flag to false.