Symantec Access Management

Issue :

I run Federation environment as IdP and the Affiliate Agent is unable to parse the SAML assertion as getting this error:

[ERROR] SAML_ParseException occurred while trying to parse the SAML Response received. Exception: Parsing SAML_Assertion: Could not parse date in <IssueInstant> Element(2011-08-11T13:12:47+02:00)

Indeed, the IssueInstant as the value 2011-08-11T13:12:47+02:00 which is not ending with Z as Zulu time. Is the 2011-08-11T13:12:47+02:00 UTC time ?

Cause :

The format that the Affiliate Agent receive (2011-08-11T13:12:47+02:00) is not UTC. The time "2011-08-11T13:12:47+02:00" is local time and not UTC.

According to OASIS, the IssueInstant should be written in UTC format.
IssueInstant [Required]
  The time instant of issue in UTC, as described in Section 1.3.3
 
  https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
 

Solution:

Our product works as designed and respects these guidelines. You should ask the SP side to send the IssueInstant in UTC format.

KB : TEC563486

Thanks for sharing these great tips with the community Patrick!

Tech Tip : CA Single Sign-On : Federation :: Affiliate Agent : UTC and IssueInstant Date Format 

Tech Tip : CA Single Sign-On : AdminUI :: Reports and Administration Tabs : Restrictions 

Tech Tip : CA Single Sign-On : Policy Server :: smreg on RedHat : libsmvariable.so undefined symbol