Does the application support the enforcement of the SAML assertion lifetime values set by the IdP and reject expired tokens?
Steps to reproduce
- Set up a SAML connection with the SAML Mock tool (https://saml-mock.vercel.app/ or https://samlmock.dev/)
- Enable IdP-initiated responses in the SAML connection settings
- Go to https://samlmock.dev/idp, configure the appropriate ACL and audience, and hard-code old NotOnOrAfter dates in the SAML response
- See that you’ll get an “assertion has expired” error in the tenant logs.
Yes, Auth0 enforces SAML assertion lifetime values set by the SAML IdP and will reject expired tokens with an “assertion has expired” error.