Closed robotdan closed 3 years ago
@voidmain any opinion here? Seems like we are breaking spec, but it seems to me an SP should just ignore this assertion if they don't like it.
I'd say we stick to the spec unless there are IdPs that require this to be set. I couldn't imagine that would be the case though.
Fixed in 0.5.7
See https://github.com/FusionAuth/fusionauth-issues/issues/1215
See lines 633 and 644 https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf
However, other SAML responses I've seen include
NotBefore
, so I don't know if this is a hard rule? Re: FusionAuth Issue 1215, it seems to be breaking an Azure SAML v2 SP.Example response which includes
NotBefore
: https://www.samltool.com/generic_sso_res.phpCurrently in
DefaultSAMLv2Service.buildAuthnResponse
line 212 we are settingNotBefore
. https://github.com/FusionAuth/fusionauth-samlv2/blob/cabe5ba2b79576177f028c4738145658e2bd2d01/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java#L212