ArintoM.44584 (Customer) asked a question.
How long SAML Request valid?
Here's the steps to reproduce:
- User start Authorize flow, with custom IDP
- Wait at the IDP login page for 26 minutes
- Complete login
- User unable to complete login. Error happens when IDP posts SAML Assertion back to Okta
The error from system log is: The attribute InResponseTo id388134544254482481244657862 in the SAML response did not match any SAML request id previously sent to the Identity Provider.
So question is how long a SAML request is valid in Okta?
Hi @ArintoM.44584 (Customer) , Thank you for reaching out to the Okta Community!
I heard that there were some issues on our end but they have been resolved.
If you are still experiencing issues, I recommend that open a case and check with the Support Team to see if it's perhaps related to them. Use OKTA-521566 as reference.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
Thank you for your thorough response, Mihai!
Hi,
I think this is still a valid question regardless of any Okta issues...
Per SAML spec, you "SHOULD" add "AudienceRestriction" element along with attributes "NotBefore" and "NotOnOrAfter" to a SAML assertion. With some other iDaaS providers, while creating a SAML connection, you can specify these attributes, but I don't see this as an option with Okta. I captured and decoded test Okta SAMLRequest, but didn't see these attributes present. I believe both of these are set to 5 minutes (see this page as well). You could test this pretty easily, right?
-Jani