Home

NotOnOrAfter

NotOnOrAfter is a time-based condition used in the Security Assertion Markup Language (SAML) for controlling the validity window of a SAML assertion. It appears as part of the SubjectConfirmationData element (and, in broader terms, within the Conditions of an assertion) and indicates the latest time at which the assertion is considered valid. The value is expressed as a UTC timestamp in ISO 8601 format.

When validating a SAML response, a service provider or relying party compares the current time to the

Implementation considerations include accounting for clock skew between systems. Relying parties often apply a small tolerance

Misconfigurations can lead to security or usability issues: setting NotOnOrAfter too tightly may cause valid logins

NotOnOrAfter
timestamp.
If
the
current
time
is
greater
than
or
equal
to
NotOnOrAfter,
the
assertion
should
be
rejected
as
expired.
NotOnOrAfter
is
typically
used
in
conjunction
with
NotBefore,
which
defines
the
earliest
valid
time,
to
establish
a
valid
time
window
during
which
the
assertion
may
be
used.
(for
example,
a
few
minutes)
to
avoid
legitimate
logins
failing
due
to
minor
time
differences.
The
NotOnOrAfter
value
can
apply
to
the
entire
assertion
or
to
the
SubjectConfirmationData,
depending
on
the
profile
and
how
the
assertion
is
issued.
to
fail
after
a
short
period;
setting
it
too
loosely
can
increase
the
risk
of
credential
reuse
or
replay.
NotOnOrAfter
is
defined
in
the
SAML
2.0
specifications
as
part
of
the
conditions
governing
assertions
and
subject
confirmations.