1 Reply Latest reply on Nov 6, 2013 3:47 PM by pcraveiro

Difference between TokenTimeout and ClockSkew ?

claudio4j Nov 1, 2013 8:22 AM

Hi, I see the TokenTimeout and ClockSkew attributes for PicketLinkSTS at idp quickstart, how are they related and differences in runtime behavior ?

TokenTimeout: Defines the token timeout in miliseconds.

ClockSew: Defines the clock skew, or timing skew, for the token timeout.

The TokenTimeout means that the SP side will validate the token at IP side, when the application receives a request, when a elapsed time (since last request) larger than the TokenTimeout occurs ?

Thanks

Claudio

1. Re: Difference between TokenTimeout and ClockSkew ?

pcraveiro Nov 6, 2013 3:47 PM (in response to claudio4j)

Hi Claudio,

    TokenTimeout is related with the expiration time of the assertion.

    The ClockSkew is used during the validation of the assertion's expiration time, which will increase the tolerance window to consider an assertion as expired.

    Eg.: If your token timout is set to 1000, your assertion will expire in 1sec. But if you define the clock skew as 1000, during the validation PL will tolerate assertions with a expiration time of 2sec (token timeout + clock skew).

    This is specially useful when dealing with different servers (where your idps and sps reside) with time differences.

Regards.
Actions