Symptoms
Assertions that are passed from a SAML Identity Provider (IdP) to a SAML Service Provider (SP) contain a number of timestamps to prevent replay attacks.
When assertions are processed by BIG-IP as SP, most of these timestamps are verified, except for SubjectConfirmationData NotOnOrAfter.
Impact
As a result, BIG-IP as SP can accept an assertion with an expired SubjectConfirmationData NotOnOrAfter timestamp.
Conditions
This happens when the SubjectConfirmationData NotOnOrAfter timestamp is expired by the time that the BIG-IP as SP processes the assertion.
Workaround
There is no workaround at this time.
