[英]Spring security SAML assertion expired
How and when is the Service Provider(Spring Security SAML) validating if the assertion is out of date? 如果断言已过期,服务提供者(Spring Security SAML)如何以及何时进行验证? I have a Service Provider created and configured in an webbapplication.
我在webb应用程序中创建并配置了服务提供商。 My Identity Provider is ADFS 2.0 authenticates and returns a SAML-response with an assertion.
我的身份提供者是ADFS 2.0身份验证并返回带有断言的SAML响应。 This assertion has a "Condition" with the flags "NotBefore" and "NotOnOrAfter".
该断言的标志为“ NotBefore”和“ NotOnOrAfter”的“ Condition”。 As of now my assertion is valid for 1min.
截至目前,我的主张有效期为1分钟。
When I am authenticated, my client-session is valid for 10 min. 通过身份验证后,我的客户会话有效期为10分钟。 This means that my assertion will expire while the client-session is still valid.
这意味着当客户端会话仍然有效时,我的断言将过期。 Should the Service Provider detect that my Assertion has expired and therefore ask the IDP to reauthenticate?
服务提供商是否应该检测到我的断言已过期,并因此要求IDP重新认证? What am I missing?
我想念什么?
I faced your same problem and still investigating on it. 我也遇到了同样的问题,并且仍在调查中。 It seems a different time between sp and isp.
似乎sp和isp之间的时间不同。 You can test it extending WebSSOProfileConsumerImpl, implementing verifyAssertion method.Here it the code commented:
您可以通过实现verifyAssertion方法扩展WebSSOProfileConsumerImpl对其进行测试。
@Override
protected void verifyAssertion(Assertion assertion, AuthnRequest request, SAMLMessageContext context) throws AuthenticationException, SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException {
/*// Verify storage time skew
if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant());
}*/
// Verify validity of storage
// Advice is ignored, core 574
verifyIssuer(assertion.getIssuer(), context);
verifyAssertionSignature(assertion.getSignature(), context);
// Check subject
if (assertion.getSubject() != null) {
verifySubject(assertion.getSubject(), request, context);
} else {
throw new SAMLException("Assertion does not contain subject and is discarded");
}
// Assertion with authentication statement must contain audience restriction
if (assertion.getAuthnStatements().size() > 0) {
//verifyAssertionConditions(assertion.getConditions(), context, true);
for (AuthnStatement statement : assertion.getAuthnStatements()) {
if (request != null) {
verifyAuthenticationStatement(statement, request.getRequestedAuthnContext(), context);
} else {
verifyAuthenticationStatement(statement, null, context);
}
}
} else {
verifyAssertionConditions(assertion.getConditions(), context, false);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.