In our SAML2 connection, the SP is showing this from their LOGS:

2012-12-18 17:16:28,223 INFO
[org.apache.xml.security.signature.Reference] Verification successful
for URI "#idzJFUUPiXjL3aYo6h2KqRAiA1LfE"
2012-12-18 17:16:28,226
WARN[org.sourceid.saml20.protocol.ValidateWebSsoRespons e] Invalid
assertion Assertion (idzJFUUPiXjL3aYo6h2KqRAiA1LfE) Status: INVALID
Remarks:
(Profiles 4.1.4.2) assertion could not be confirmed - here's why:
[#1subject confirmation is unsatisfactory:
[Time condition: for security reasons NotOnOrAfter
(2012-12-18T19:16:27Z) cannot be more than 74 minutesahead of the
current time (2012-12-18T16:16:28.225Z)]]
2012-12-18 17:16:28,236
WARN[org.sourceid.saml20.profiles.sp.HandleAuthnRespons e] Invalid
response: InMessageContext
XML:
<samlp:Response Destination="
https://portal002.somesp.com/federate2/sp/ACS.saml2"
ID="idegqDHBvcc.vhbMtITZwSn-sr8WY" IssueInstant="2012-12-18T16:16:27Z"
Version="2.0" xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">

We have manually set the assertion validity time for the SAML service
provider in the Assertion Validity field to accommodate clock skew
between the service provider and SAML Identity Server (IDP) to 300
seconds.
Yet we still see the assertion showing:

<saml:Conditions NotBefore="2012-12-18T22:39:01Z"
NotOnOrAfter="2012-12-18T22:49:01Z"
>

<saml:AudienceRestriction>

<saml:Audience>https://portal002.globalview.adp.com/federate2</saml:Audience>

</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2012-12-18T22:44:00Z"
SessionIndex="idjr4ZXAmCROxPZiV4-e.9nHVs4l8"
SessionNotOnOrAfter="2012-12-19T01:44:01Z"
>

<saml:AuthnContext>

How can the SessionNotOnOrAfter value be set to not more than 74
minutes from the AuthnInstant?
--

Thank You for your help!

-jim
Jim Willeke