robotdan
commented
3 years ago @voidmain any opinion here? Seems like we are breaking spec, but it seems to me an SP should just ignore this assertion if they don't like it.
Closed robotdan closed 3 years ago
robotdan
commented
3 years ago @voidmain any opinion here? Seems like we are breaking spec, but it seems to me an SP should just ignore this assertion if they don't like it.
voidmain
commented
3 years ago I'd say we stick to the spec unless there are IdPs that require this to be set. I couldn't imagine that would be the case though.
robotdan
commented
3 years ago Fixed in 0.5.7
See https://github.com/FusionAuth/fusionauth-issues/issues/1215
See lines 633 and 644 https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf
However, other SAML responses I've seen include
NotBefore, so I don't know if this is a hard rule? Re: FusionAuth Issue 1215, it seems to be breaking an Azure SAML v2 SP.Example response which includes
NotBefore: https://www.samltool.com/generic_sso_res.phpCurrently in
DefaultSAMLv2Service.buildAuthnResponseline 212 we are settingNotBefore. https://github.com/FusionAuth/fusionauth-samlv2/blob/cabe5ba2b79576177f028c4738145658e2bd2d01/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java#L212