Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-104

SAML client doesn't take into account clock skew when processing NotBefore

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: saml-1.0.0.RC1
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      org.springframework.security.saml.websso.WebSSOProfileConsumerImpl

      ....
      if (conditions.getNotBefore() != null) {
      if (conditions.getNotBefore().isAfterNow())

      { log.debug("Assertion is not yet valid, invalidated by condition notBefore", conditions.getNotBefore()); throw new SAMLException("SAML response is not yet valid"); }

      }

      Spring doesn't allow for any clock skew on NotBefore. It allows clock skew only on IssueInstant.

      There is a post at http://shibboleth.1660669.n2.nabble.com/SAML-Assertion-Condition-NotBefore-problem-td5581560.html about this. Basically, it is the client who must allow for any clock skew. Although the post is on the Shobboleth forum, it seems reasonable that the server shouldn't have any skew compensation capabilities.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            vsch Vladimir Schäfer
            Reporter:
            alikic@rogers.com Aleksandar Likic
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development