Assertion SessionNotOnOrAfter not working with SP3

  • 7009458
  • 30-Sep-2011
  • 02-Dec-2015


Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 SUpport Pack 3 applied


Access Manager 3.1 SP3introduced a new feature to allow the Access Manager Identity (IDP) server to "Include the Session Timeout attribute in the assertion". The goal of the parameter is to dictate how long the users session should be valid at the Service Provider (SP) after consuming the assertion from the Identity Provider. The SP should discard the user session after this timeout, unless is re-establishes the users identity by resending an autentication request.

When Novell is acting as the SP and consumes an assertion with this SesssionNotOnOrAfter parameter,
the session time out is not properly set at SP and therefor the user session will not be valid on that SP for the time indicated in the SesssionNotOnOrAfter parameter - it will be valid for the locally defined session timeout on the SP instead.


Fixed with Access Manager 3.1 Support pack 4.