Honoring NotBefore/NotOnOrAfter timeout in SAML response

[Naveen Gujjar]

One of our customers is complaining about accepting the SAML response document past the  NotBefore/NotOnOrAfter time available in SAML response.

I have looked into pac4j SAML code and it looks pac4j also honor these values with some accepted clock skew.

I tried changing the default clock skew of 5 min to 0 in code but pac4j starts failing with some IDPs.

I would like to know whether pac4j honors these values or not?

" A failed test is if they submit the document late (sending past the timeout), the have to test within 30 seconds past the timeout (or sometime past the timeout). It was still accepted. It should not accept the document past the timeout. This is part of the SAML protocol requirements. "Not on or after" is the name of the section."

The above quoted text is from testing scenario. Can someone confirm the same?

Thanks & Regards,
Naveen KUmar  

[Jérôme LELEU]

Hi,

pac4j honors the NotBefore/NotOnOrAfter time available in SAML response as well as the accepted clock skew. It should work.

Did you try some debugging in the validateAssertionConditions method of the SAML2AuthnResponseValidator component?

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/51e96ca1-ba98-4a4d-9d89-1c52e7039959n%40googlegroups.com.

[Naveen Gujjar]

Hi,

Thanks for your reply. It looks like we are checking for NotOnOrAfter field in SAML response but with clock skew?

Is it possible to change the clock skew for conditions field only in SAML response not for other places?

Currently if I set the setClockSkew field, it gets applied everywhere?
validateAssertionConditions - Method in SAML2AuthnResponseValidator class

        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) {

            throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid");

        }
Any help would be appreciated.

Thanks & Regards,
Naveen Kumar

--

Naveen Kumar | Senior Software Engineer
Veritas Technologies Pvt LTD
Email Id:-naveenk...@gmail.com
Mob. No.-9923529420

[Jérôme LELEU]

Hi,

Why do you want to remove the acceptedSkew?

It should accept more conditions this way.

Thanks.

Best regards,

Jérôme

[Naveen Gujjar]

Hi,

We want to remove the acceptedSkew so that SAML response can be validated based on the SAML response and after not adding any acceptedSkew inside it.

Below is what we got from our security team.

`All SAML assertions contain a “Conditions” tag.  That tag will contain a “NotBefore” value and a “NotOnOrAfter” value.

We test to see that the system receiving the SAML assertion is checking those conditions and rejecting the SAML document when either condition fails.

 If you look at the above values, you can see this SAML assertion would be valid for only 2 minutes  (16:22:02 thru 16:24:02).

 The company that is asserting the identity (i.e. building the SAML assertion), can set these values to make as large or as small a window as desired.

 Our test is to build the document and prevent to browser from sending the document until after the “NotOnOfAfter” time has been reached. We then expect the receiving system to reject the login. 

 Your system should reject the  document based on the values in the conditions statement. (i.e. not based on some arbitrary fixed time window)`

Currently it allows to accept the document even after time past due to default accepted skew.

Can you please let us know if we can change this code without affecting IssueInstant field in SAML response, currently in pac4j-saml same acceptedSkew is used at both places.

Please let us know your thoughts?

Thanks & Regards,
Naveen Kumar