cal7o (cal7o) asked a question.
AuthnInstant does not reflect first time authentication time
Hi,
While using Okta as the Saml SSO IDP to authenticate, we are observing the following behavior.
- The session timeout on IDP is configured to be 8 hours (under Security -> Authentication -> Sign On).
- First time when the user tries to login to our application(SP), the request gets redirected to Okta SAML IDP where user is prompted to provide credentials and we get back saml assertion with the "authnInstant" value containing the user logged in time.
- After 2 hours(this is the timeout configured on our portal to reinitiate SAML flow), when user tries to access SP portal, we again redirect the user to IDP. No login is prompted on the IDP side and we get back valid assertion response. However, the "authnInstant" value in the response does not contain the first authenticated time but the current time. Kindly let me know on what scenarios does Okta return current time as the authnInstant time
Hello Srikkanth !
Thank you for posting on our community forums !
This is expected behavior as authnInstant is supposed to reflect the time at which the user authenticates to your application.
If the user's session in your app expires and has to re-authenticates authnInstant will reflect the moment when the user renewed session within your app.
Hi Catalin,
Thanks for the response. According to saml 2.0 specification, authnInstant should specify the time at which the authentication took place at the IDP and not the service provider application. Infact, in our other environment, this behavior is working as expected (i.e authnInstant value is matching the authentication time on Okta IDP side even-though multiple requests are being sent to IDP from our application).
My question is, are there any cases where Okta IDP would set the current value as the authnInstant. The reason I ask this is we are observing this behavior in another environment of ours but could not figure out what is the reason behind this behavior.
Could you please double check how Okta handles this and respond back.
Hi Catalin! I am also experiencing the same type of issue. On our production Okta account, assertions are being sent to a Spring application but AuthnInstant is reflecting the original time of IdP login instead of when the SP initiated a log in. While debugging on a development Okta account, I noticed the exact reverse as described by Srikkanth. Is this some sort of setting that could be configured differently?
I suspect that both Srikkanth and I are using Spring Security which allows a default of 2 hours for the maximum age of AuthnInstant. On my development setup, it never triggers because AuthnInstant is updated everytime, but in production, it always gets behind and exceptions are thrown.
Is there anything the application can do to force the AuthnInstant to update, IF that is the intended behavior as per your statement above?
Thank you for any clarification you might be able to provide.