Tell the Service Provider to act right lol...SAML solved most of the time stamping considerations. Out of the hundreds of Service Providers I've ever worked with, none of them have ever required the timestamp in that sense to be in an assertion O_o.
Never tried it but might could leverage some of the "DATE/TIME" Named Expression stuff - Operators - CA Single Sign-On - 12.7 - CA Technologies Documentation . Can set those up so they can be returned as an attribute perhaps and send along.
Maybe someone else has some other ideas.
But it's really silly for the Service Provider to demand something like that when everything regarding the time assertion was issued, user auth time, assertion validity, optionally recommended session duration, etc is all already present with clear definitions of their meanings. To strictly require it as an attribute statement just doesn't sit right : / .
==== EDIT ====
Would have to pretty it up, but named expression does seem to work ok. You'd want to adjust it of course to what format and timezone or whatever. Just added something like this as a rough little test:
DATETOSTRING(NOW(),'%d/%m/%y/%H:%M:%S')
Gives this value.
<ns2:AttributeStatement> <ns2:Attribute Name="timestamp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <ns2:AttributeValue>16/05/17/13:13:37</ns2:AttributeValue> </ns2:Attribute>