parameter notOnOrAfter should be computed against SAML message emission date
parameter notOnOrAfter should be computed against SAML message emission date, and not first authentication time.
See SAML core, section 2.5.1.2: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
And Lasso documentation: http://lasso.entrouvert.org/documentation/api-reference-dev/lasso-LassoLogin.html#lasso-login-build-assertion