3.1.2 Timers

This protocol does not require timers beyond those that might be used by the underlying transport to transmit and receive messages over HTTP and SSL/TLS.

The security tokens transported in protocol messages have a specific time interval during which they are considered to be valid. This MUST be set by the security token service that issues the security tokens using the NotBefore and NotOnOrAfter attributes of the Conditions element. For further specifications, see [SAMLCore] section 2.3.2.1.1. A relying party SHOULD NOT accept security tokens if the current time is equal to or greater than the value of the NotOnOrAfter attribute or equal to or less than the value of the NotBefore attribute.

When an Authentication Context is created from security tokens, the AuthStart and AuthStop fields MUST be set from the NotBefore and NotOnOrAfter attributes of the security tokens. A resource IP/STS SHOULD NOT use an Authentication Context to grant access to a WS resource if the current time falls outside the validity interval defined by the AuthStart and AuthStop values.<46>

Implementations MAY<47> use a timer to indicate when the validity interval of a security token or an Authentication Context expires to control maintenance operations (for example, flushing caches), but the protocol does not require the use of a timer.