IBM Support

QRadar SOAR: SAML Not-On-or-After/NotBefore

How To


Summary

How to set SAML Not-On-or-After or NotBefore in QRadar SOAR?

Objective

We recommend configuring your SAML provider so that responses are only valid for a short period of time.

Steps

We adhere to "NotBefore" and "NotOnOrAfter" attributes. Also, all communication is over HTTPS which prevents the response from being discovered.

If you are unable to configure your SAML provider you may configure the appliance to accept a larger time skew.
SAML has strict settings for time skews that can result in errors when a user attempts to log in. This will occur if the Resilient Appliance’s time is out of sync with the Identity Provider’s time. This scenario can result in login failure. To prevent such errors, you can either adjust the Identity Provider’s skew value or set an allowable skew using the co3util tool. For example:
 
  • To see current configuration, if any:
sudo resutil configget -key saml.allowed_clock_skew_millis
  • To set it to 30 second timeout:
sudo resutil configset -key saml.allowed_clock_skew_millis -ivalue 30000
  • To backout, remove, the SAML timeout configuration:
resutil configset -key saml.allowed_clock_skew_millis -delete

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
19 April 2021

UID

ibm11162720

Page Feedback