stackoom
  简体   繁体   中英

Spring security Saml - Time difference between SP and IDP

 原文  2014-09-03 15:12:58       java/ spring/ spring-security/ saml-2.0

Question

I am looking for a way to increase the expiration time of my saml messages. I use Spring Security with SAML 1.0.0-RC2.

At this moment, if the servers** time are too different, eg 5 minutes, I got following error: 

HTTP Status 401 - Authentication Failed:Error validating SAML message: SAML response is not valid; nested exception is org.opensaml.common.SAMLException: SAML response is not valid

I want to set the expiration time to 10 minutes, to prevent those errors. I have been looking at the documentation, but I don't understand how to change the expiration time. If I look at the Configuration authentication object section, one would be able to change the expiration time but I fail to grasp the idea.

Could somebody help me out?

** My server (SP) and server of the customer (IDP, most likely a server with ADFS installed).

3 answers

solution1
 10 ACCPTED  2014-09-04 09:02:15

After Stefan's anwser, I knew where to look! Actually the docs did describe this thing, I just didn't pick it up: 10.3 Validity intervals . Cheers to Stefan for pointing out the responseSkew property!

Just add the property responseSkew to the WebSSOProfileConsumerImpl and SingleLogoutProfileImpl beans: 

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
    <property name="responseSkew" value="600"/> <!-- 10 minutes -->
</bean>

<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl">
    <property name="responseSkew" value="600"/> <!-- 10 minutes -->
</bean>

solution2
 4  2014-09-04 08:27:10

Looks like the allowed time differance is hard coded.

See this source file look at the constant responseSkew. The default is 60 sec.

I think your best option here is to try to set the same time on the servers.

solution3
 0  2017-12-04 03:55:42

I know, the answer has been chosen, but I am sharing resolution which I have found for anyone working with Grails 3, spring security core, SAML 2.0.

I had to set maxAssertionTime value along with responseSkew for WebSSOProfileConsumerImpl to be able to get the response back from the IDP.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to configuration of IDP metadata and SP metadata in Spring Security SAML sample? SAML - how transfer custom attributes between Spring SAML extension(SP) and shibboleth 3.1.1(IDP) Using Spring SAML as an IDP rather than an SP Forward error by integrating Spring SAML (as SP) and SimpleSAML (as IdP) Spring security SAML2 working with more than one idp No IDP was configured error in app using spring-security-saml Issues with integrating spring security saml 2.0 with adfs 2.0 as idp Spring Security SAML2 Using G Suite as Idp Spring Security SAML2 - SP http post security Spring Security SAML: Accept only signed SAML response messages from IDP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM