I am using Microsoft Entra ID as IDP for my web app for SAML SSO. When I navigate to my application in Chrome the AuthnInstant is from 2 days ago, however for the same URL in Chrome incognito mode it AuthnInstant is current date-time and for Firefox it is about 5 months ago. From, single-sign-on-saml-protocol The AuthnInstant attribute specifies the time at which the user authenticated with Microsoft Entra ID. I would like to know: Why do I get different values of AuthnInstant in the different use cases listed above? Once a user is authenticated with Microsoft Entra ID, how long would it be valid?

Hi @Phalgun Vaddepalli Thank you for posting this in Microsoft Q&A. I understand you are seeing different values of AuthnInstant in different browsers. Why do I get different values of AuthnInstant in the different use cases listed above? The variation in AuthnInstant values across different use cases is probably caused by discrepancies in how browsers cache SAML responses. When accessing the application in Chrome, it might retrieve a cached SAML response from 2 days ago, while in incognito mode it is not using the cache and is therefore getting a current date-time. Similarly, Firefox may be using a cached SAML response from 5 months ago. Once a user is authenticated with Microsoft Entra ID, how long would it be valid? The validity period of a SAML response is determined by the value of the NotBefore and NotOnOrAfter attributes in the Conditions element of the SAML response. These values are set by the identity provider and specifies the time at which the SAML response expires. Once the SAML response has expired, the user will need to re-authenticate to obtain a new SAML response. For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#conditions Hope this helps. Do let us know if you any further queries. Thanks, Navya. If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.

Derivation of AuthnInstant attribute value

Phalgun Vaddepalli 0

I am using Microsoft Entra ID as IDP for my web app for SAML SSO. When I navigate to my application in Chrome the AuthnInstant is from 2 days ago, however for the same URL in Chrome incognito mode it AuthnInstant is current date-time and for Firefox it is about 5 months ago.

From, single-sign-on-saml-protocol

The AuthnInstant attribute specifies the time at which the user authenticated with Microsoft Entra ID.

I would like to know:

Why do I get different values of AuthnInstant in the different use cases listed above?
Once a user is authenticated with Microsoft Entra ID, how long would it be valid?

Navya 4,000 Reputation points Microsoft Vendor

2024-04-17T13:44:24.0166667+00:00

Hi @Phalgun Vaddepalli

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 4,000 Reputation points Microsoft Vendor

2024-04-19T03:48:53.38+00:00

Hi @Phalgun Vaddepalli

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and "Up-Vote" for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Navya 4,000 Reputation points Microsoft Vendor

2024-04-15T11:29:27.48+00:00

Hi @Phalgun Vaddepalli

Thank you for posting this in Microsoft Q&A.

I understand you are seeing different values of AuthnInstant in different browsers.

Why do I get different values of AuthnInstant in the different use cases listed above?

The variation in AuthnInstant values across different use cases is probably caused by discrepancies in how browsers cache SAML responses. When accessing the application in Chrome, it might retrieve a cached SAML response from 2 days ago, while in incognito mode it is not using the cache and is therefore getting a current date-time. Similarly, Firefox may be using a cached SAML response from 5 months ago.

Once a user is authenticated with Microsoft Entra ID, how long would it be valid?

The validity period of a SAML response is determined by the value of the NotBefore and NotOnOrAfter attributes in the Conditions element of the SAML response. These values are set by the identity provider and specifies the time at which the SAML response expires. Once the SAML response has expired, the user will need to re-authenticate to obtain a new SAML response.

For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#conditions

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.
Please sign in to rate this answer.
Phalgun Vaddepalli 0 Reputation points

2024-04-23T12:22:57.1466667+00:00

The variation in AuthnInstant values across different use cases is probably caused by discrepancies in how browsers cache SAML responses.

After successful authentication with Microsoft Entra ID, it redirects to Assertion Consumer Service URL with SAMLResponse and RelayState fields in the Request Payload. The value corresponding to SAMLResponse is a Base64 encoded SAML response which contains
AuthnStatement element

<AuthnStatement AuthnInstant="2023-11-22T14:50:55.578Z" SessionIndex="_77a91099-c510-4eab-9d42-89794d295100">

How does Microsoft Entra ID decide value of AuthnInstant attribute? Since the value is calculated at Microsoft Entra ID side, how would browser caching SAML response affect value of AuthnInstant?

Navya 4,000 Reputation points Microsoft Vendor

2024-04-30T10:45:17.8766667+00:00

Hi @Phalgun Vaddepalli

I Apologies for the delay in response. I'm adding more information on your questions, please review the below response.

Why do I get different values of AuthnInstant in the different use cases listed above?

As you mentioned, there are 3 different scenarios you have observed while looking at AuthnInstant for your web app for SAML SSO.

Scenario 1: When you are logging into your app in Chrome browser the AuthnInstant is from 2 days ago. This is because in Chrome browser the initial sign-in was completed by user is 2 days ago or the session token with Microsoft Entra ID is logged in 2 days ago.

Scenario 2: Same URL in Chrome incognito mode it AuthnInstant is current date-time. This is because in Chrome incognito mode there won't be any active session cookie present and when you are accessing the application user will be authenticated with Username and Password. So, you are able to see the AuthnInstant as current date-time.

Scenario 3: When you accessed the same application in Firefox it is about 5 months ago. Here you are not doing any fresh authentication, you are logging into your application by valid session which was stored in your browser. Based on this we can tell that in Firefox browser the user is completed his initial login with Microsoft Entra ID which is 5 months ago.

Once a user is authenticated with Microsoft Entra ID, how long would it be valid?

When a user authenticated to any application with Microsoft Entra ID, Token lifetime policies for access, SAML, and ID tokens are valid for 1 hour. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token. Session tokens have a Max Inactive Time of 90 days. Once the session token expire user can no longer able to satisfy without interactive sign-ins. Please refer the below document to have more details about lifetime token policy properties.

For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes#refresh-and-session-token-lifetime-policy-properties

How does Microsoft Entra ID decide value of AuthnInstant attribute? Since the value is calculated at Microsoft Entra ID side, how would browser caching SAML response affect value of AuthnInstant?

The AuthnInstant value of property will be calculated at the Microsoft Entra ID side, based on the user's initial sign-in as I mentioned above.

Hope this helps. Do let us know if you any further queries.
Sign in to comment