Federation :: Affiliate Agent : UTC and IssueInstant Date Format

Document ID : KB000021712
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue :

I run Federation environment as IdP and the Affiliate Agent is unable to parse the SAML assertion as getting this error:

[ERROR] SAML_ParseException occurred while trying to parse the SAML Response received. Exception: Parsing SAML_Assertion: Could not parse date in <IssueInstant> Element(2011-08-11T13:12:47+02:00)

Indeed, the IssueInstant as the value 2011-08-11T13:12:47+02:00 which is not ending with Z as Zulu time. Is the 2011-08-11T13:12:47+02:00 UTC time ?

 

Cause :

The format that the Affiliate Agent receive (2011-08-11T13:12:47+02:00) is not UTC. The time "2011-08-11T13:12:47+02:00" is local time and not UTC.

According to OASIS, the IssueInstant should be written in UTC format.

IssueInstant [Required]
  The time instant of issue in UTC, as described in Section 1.3.3
 
  https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
 

Solution:

Our product works as designed and respects these guidelines. You should ask the SP side to send the IssueInstant in UTC format.