none
Skewing the SAMLP NotBefore in ADFS v2

    Question

  • I have an ADFS v2 implementation in which we are acting as the Claims Provider (IdP) for a Resource Provider (RP) at a SaaS and is usually working fine.  However, periodically the Resource Provider seems to have an issue with their clocks keeping up time.  Sometimes it will slow back to up to 30 seconds.  Unfortunately, this means when users go to log in, the NotBefore field of the signature appears in the future to the RP and is thus invalid.

    Because the NotBefore field is generated based on when it was created, I'm not sure if there is some way I could tell ADFS that when it signs it to skew the NotBefore to Now-1 minute or something to allow for their poor timing.

    So my question is, can a SAML response be configured to allow for a deviation to the past (ie: set the NotBefore paramater back a few seconds or a minute)?

    Thank you,
    -SMFX

    Wednesday, August 3, 2011 5:56 PM

Answers

  • The solution relies on using the PowerShell API to make the modification.  Apparently, each Relying Trust has a "NotBeforeSkew" that is not listed in the GUI.  Not only that, even the API documentation is pretty laking.

    Also, this will probably only show up if you are creating a custom Relying Party rather using a published XML for a Relying Party as the XML they would normally publish can specify the NotBeforeSkew.  In any event, the commands are:

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
    Set-ADFSRelyingPartyTrust –TargetIdentifier “urn:party:sso” –NotBeforeSkew 2 #Set the skew to 2 minutes
    
      Where "urn:party:sso" is one of the Identifiers for your Relying Party and you want the NotBefore values set back 2 minutes before the ticket is created.

    This should also only really be an issue when

    • you have a service provider (Relying Party) that is not keeping their clocks up to speed
    • your server clock is getting fast
    • the service provider has no tolerance for the NotBefore being ahead of their clock in time

    This type of fix is also documented in a Hotfix for ADFS v1, but ADFS v2 does it completely differently:

         ADFS v1 Hotfix: KB 956279 - A cross-domain Web single sign-on fails if there is a small time difference between Active Directory Federation Services in Windows Server 2003 R2 systems and IBM Tivoli Federated Identity Manager

    Thank you,
    -SMFX




    • Marked as answer by SMFX Wednesday, August 3, 2011 9:53 PM
    • Edited by SMFX Wednesday, April 11, 2012 3:52 PM Corrected solution based on DaveAtNWEA's post of what was wrong with it.
    Wednesday, August 3, 2011 9:53 PM
  • The solution relies on using the PowerShell API to make the modification.  Apparently, each Relying Trust has a "NotBeforeSkew" that is not listed in the GUI.  Not only that, even the API documentation is pretty laking.

    Also, this will probably only show up if you are creating a custom Relying Party rather using a published XML for a Relying Party as the XML they would normally publish can specify the NotBeforeSkew.  In any event, the commands are:

     

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
    Set-ADFSRelyingPartyTrust –identifier “urn:party:sso” –NotBeforeSkew 2 #Set the skew to 2 minutes
    
    
      Where "urn:party:sso" is one of the Identifiers for your Relying Party and you want the NotBefore values set back 2 minutes before the ticket is created.

    Thank you,
    -SMFX


    That command didn't quite work for me, I would get an error message:
     "CategoryInfo : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException..." .

    The command that worked for me was:
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso”| Set-ADFSRelyingPartyTrust –NotBeforeSkew 2


    Dave Lum - Systems Engineer NWEA
    • Edited by DaveAtNWEA Thursday, February 2, 2012 10:19 PM
    • Marked as answer by SMFX Wednesday, April 11, 2012 3:52 PM
    Thursday, February 2, 2012 10:17 PM

All replies

    • Proposed as answer by Meinolf Weber Wednesday, August 3, 2011 7:15 PM
    • Unproposed as answer by SMFX Wednesday, August 3, 2011 9:39 PM
    Wednesday, August 3, 2011 6:16 PM
  • Refer to  http://social.msdn.microsoft.com/Forums/en-US/geneva/threads/

    hth
    Marcin


    Thanks, but I'm not a developer; I'm an administrator.  This is a configuration setting for Active Directory Federated Services, so I'm going to post the solution I figured out so that other Administrators that have to manage an ADFS system can find it too.
    Wednesday, August 3, 2011 9:41 PM
  • The solution relies on using the PowerShell API to make the modification.  Apparently, each Relying Trust has a "NotBeforeSkew" that is not listed in the GUI.  Not only that, even the API documentation is pretty laking.

    Also, this will probably only show up if you are creating a custom Relying Party rather using a published XML for a Relying Party as the XML they would normally publish can specify the NotBeforeSkew.  In any event, the commands are:

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
    Set-ADFSRelyingPartyTrust –TargetIdentifier “urn:party:sso” –NotBeforeSkew 2 #Set the skew to 2 minutes
    
      Where "urn:party:sso" is one of the Identifiers for your Relying Party and you want the NotBefore values set back 2 minutes before the ticket is created.

    This should also only really be an issue when

    • you have a service provider (Relying Party) that is not keeping their clocks up to speed
    • your server clock is getting fast
    • the service provider has no tolerance for the NotBefore being ahead of their clock in time

    This type of fix is also documented in a Hotfix for ADFS v1, but ADFS v2 does it completely differently:

         ADFS v1 Hotfix: KB 956279 - A cross-domain Web single sign-on fails if there is a small time difference between Active Directory Federation Services in Windows Server 2003 R2 systems and IBM Tivoli Federated Identity Manager

    Thank you,
    -SMFX




    • Marked as answer by SMFX Wednesday, August 3, 2011 9:53 PM
    • Edited by SMFX Wednesday, April 11, 2012 3:52 PM Corrected solution based on DaveAtNWEA's post of what was wrong with it.
    Wednesday, August 3, 2011 9:53 PM
  • The solution relies on using the PowerShell API to make the modification.  Apparently, each Relying Trust has a "NotBeforeSkew" that is not listed in the GUI.  Not only that, even the API documentation is pretty laking.

    Also, this will probably only show up if you are creating a custom Relying Party rather using a published XML for a Relying Party as the XML they would normally publish can specify the NotBeforeSkew.  In any event, the commands are:

     

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
    Set-ADFSRelyingPartyTrust –identifier “urn:party:sso” –NotBeforeSkew 2 #Set the skew to 2 minutes
    
    
      Where "urn:party:sso" is one of the Identifiers for your Relying Party and you want the NotBefore values set back 2 minutes before the ticket is created.

    Thank you,
    -SMFX


    That command didn't quite work for me, I would get an error message:
     "CategoryInfo : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException..." .

    The command that worked for me was:
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso”| Set-ADFSRelyingPartyTrust –NotBeforeSkew 2


    Dave Lum - Systems Engineer NWEA
    • Edited by DaveAtNWEA Thursday, February 2, 2012 10:19 PM
    • Marked as answer by SMFX Wednesday, April 11, 2012 3:52 PM
    Thursday, February 2, 2012 10:17 PM
  • That command didn't quite work for me, I would get an error message:
     "CategoryInfo : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException..." .

    The command that worked for me was:
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso”| Set-ADFSRelyingPartyTrust –NotBeforeSkew 2


    Dave Lum - Systems Engineer NWEA

    Thanks for the catch, Dave!

    Piping it is probably the easiest way, but it looks like I typed the command wrong.  It should have been "-TargetIdentifier" rather than just "-Identifier".  The piping works perfectly, but it should have been:

    Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
    Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
    Set-ADFSRelyingPartyTrust –TargetIdentifier “urn:party:sso” –NotBeforeSkew 2 #Set the skew to 2 minutes
    

    Wednesday, April 11, 2012 3:49 PM