Skip to content

Add Skew to NotOnOrAfter and NotBefore Assertion Conditions #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ahavriluk opened this issue Oct 25, 2018 · 5 comments · Fixed by #392
Closed

Add Skew to NotOnOrAfter and NotBefore Assertion Conditions #98

ahavriluk opened this issue Oct 25, 2018 · 5 comments · Fixed by #392
Assignees
@vharseko

Comments

@ahavriluk
Copy link

ahavriluk commented Oct 25, 2018
edited
Loading

Attribute assertionTimeSkew from sp-extended.xml is ignored.
See: https://bugster.forgerock.org/jira/browse/OPENAM-10191
@vharseko
Copy link
Member

please attach config and har log

@ahavriluk
Copy link
Author

ahavriluk commented Oct 25, 2018
edited
Loading

Description of a problem: https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f

Log:

SAML2Utils.isBearerSubjectConfirmation:timeskew = 3000
libSAML2:10/24/2018 05:50:07:418 PM PDT: Thread[http-nio-9080-exec-33,5,main]: TransactionId[unknown]
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Oct 24 17:55:09 PDT 2018
libSAML2:10/24/2018 05:50:07:419 PM PDT: Thread[http-nio-9080-exec-33,5,main]: TransactionId[unknown]
SAML2Utils.checkConditions: NotBefore Condition = Wed Oct 24 17:50:09 PDT 2018
libSAML2:10/24/2018 05:50:07:419 PM PDT: Thread[http-nio-9080-exec-33,5,main]: TransactionId[unknown]
SAML2Utils.checkConditions: The assertion does not meet NotOnOrAfter or NotBefore condition.
24-Oct-2018 17:50:07.419 INFO [http-nio-9080-exec-33] com.sun.identity.plugin.log.impl.FedletLogger.error DATE_CONDITION_NOT_MET

sp-extended.xml must have the attribute specified:

       <Attribute name="assertionTimeSkew">
           <Value>300</Value>
       </Attribute>

To reproduce: The clock on host (SP) and remote (IdP) machines must be off about 2-3 sec. Do SAML SSO with remote IdP. I was testing against Shibboleth IdP.
Your SAML response must have Conditions:
<saml2:Conditions NotBefore="2018-10-25T00:50:09.210Z" NotOnOrAfter="2018-10-25T00:55:09.210Z"><saml2:AudienceRestriction><saml2:Audience>http://www.example.com:9080/fedlet</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions>

To fix:

The code which processes assertionTimeSkew for SubjectConfirmation is located in SAML2Utils.java class in openam-federation/openam-federation-library.

The snipped which reads time skew:

            // in seconds
            int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
            String timeskewStr = getAttributeValueFromSPSSOConfig(
                    spConfig,
                    SAML2Constants.ASSERTION_TIME_SKEW);
            if (timeskewStr != null && timeskewStr.trim().length() > 0) {
                timeskew = Integer.parseInt(timeskewStr);
                if (timeskew < 0) {
                    timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
                }
            }
            if (debug.messageEnabled()) {
                debug.message(method + "timeskew = " + timeskew);
            }

The method checkConditions in SAML2Utils.java should have the code above, and code in line 901 should be updated:
the currentTimeMillis() value passed in should be adjusted to timeSkew value:

if (!conditions.checkDateValidity(currentTimeMillis())) {
...
}

Let me know if you need more details.

@vharseko
Copy link
Member

you can make pull request ?

@mattieb2013
Copy link

@ahavriluk Do you hav any plan for creating pull request for this any time soon ?

@vharseko If @ahavriluk doesn't get time to creat pull request can you please create a pull request and resolve this bug? We've run into this bug with a new integration.

maximthomas pushed a commit to maximthomas/OpenAM that referenced this issue Aug 28, 2019
@Mitsuhiro17 @maximthomas
fix Issue10 Finish button of Identity Provider wizard doesn't work (O…
d7588ed 
…penIdentityPlatform#98)
vharseko pushed a commit that referenced this issue Aug 29, 2019
@maximthomas @vharseko
Openam JP commits (#170)
dc3085b 
* Add an authz module for kbaInfo

* Use request locale in auth error messages (#31)

* Add OAuth 2 endpoint validation (#35)

* fix Issue10 Finish button of Identity Provider wizard doesn't work (#98)

* Issue #29 JavaMail debug logs are output to stdout (#97)

* disable javamail debug.

* Added copyright

* Use AUTH_LOGIN_FAILED, if user based authentication failed (#120)

* Issue #50 Deleting an instance of the authentication module registered by default also deletes the authentication modules of the same type (#100)

* Change to subConfig check first. and not remove all of tree if default module have subConfig

* add copyright to source code header

* wrong year in copyright

* fix UT
@vharseko vharseko self-assigned this Dec 11, 2020
@ajlugt
Copy link
Contributor

ajlugt commented Sep 3, 2021

I'm currently preparing a branch to solve this issue, I could be ready for a pull request in a matter of days. Is that OK? I'm just asking because @vharseko already self-assigned this.

@ajlugt ajlugt mentioned this issue Sep 8, 2021
Merged
@ekmixon ekmixon mentioned this issue Nov 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vharseko vharseko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Assertion conditions with skew ajlugt/OpenAM
4 participants
@vharseko @ahavriluk @mattieb2013 @ajlugt