Minimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5]

Zurich Platform security

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Minimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5]

Release version: Zurich

Updated July 31, 2025

1 minute to read

Configure this property to add a grace period in which SAML requests and responses are considered valid.

This property adds a grace period during which SAML requests and responses are considered valid. The property value represents the number of seconds to add to the NotBefore and NotOnOrAfter constraints to account for time differences between the Identity Provider (IdP) clock, and Service Provider (SP) clock. These constraints defend against replay attacks by denying requests that aren’t made within the specified time frame. If the IdP and SP clocks are significantly different, then the network latency may result in the SAML request being unauthorized.

More information


Attribute	Description
Configuration name	glide.authenticate.sso.saml2.clockskew
Configuration type	System Properties (/sys_properties_list.do)
Data type	string
Recommended value	less than 60
Default value	180
Category	Authentication
Security risk	Severity score: 7.5 CVSS score: High Security risk details: Setting the property to a value of 60 or higher may prevent the constraints from defending against replay attacks.
Dependencies and prerequisites	None