search

OpenConext / Stepup-Project

Managing issues for Stepup-* projects
0 stars 0 forks source link

Limit SubjectConfirmationData validity to Assertion validity #222

Closed phavekes closed 2 hours ago

phavekes commented 2 hours ago

This issue is imported from pivotal - Originaly created at May 25, 2018 by Pieter van der Meulen

In the SAML Assertions that are generated by the Stepup-Gateway the time in the NotOnOrAfter attribute of the saml:SubjectConfirmationData element exceeds what is specified in the NotOnOrAfter attribute of the Conditions element. This causes a Response contains no valid assertions error in NetIQ Access Manager.

She the SAML 2.0 core specification, section 2.4.1.2, line 756 says:

Note that the time period specified by the optional NotBefore and NotOnOrAfter attributes, if present, SHOULD fall within the overall assertion validity period as specified by the element\'s NotBefore and NotOnOrAfter attributes. If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.

Excerpt of an Assertion from the Stepup-Gateway:

        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:institution-a.nl:pieter-a1</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2018-05-25T22:24:13Z"
                    Recipient="https://sa.test2.surfconext.nl/authentication/consume-assertion"
                    InResponseTo="_91fa0e322d7962354bce7e93f16cf538a60d6047e708b26e55f93d2807fd"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-05-25T14:24:13Z" NotOnOrAfter="2018-05-25T14:29:13Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://sa.test2.surfconext.nl/authentication/metadata</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>

Note that the NotOnOrAfter time of the SubjectConfirmationData is 8 hours after the NotBefore time of the Conditions element, whereas the Conditions has a NotOnOrAfter of 5 minutes after the NotBefore time.

To improve compatibility with other implementations, I want the NotOnOrAfter attribute of the SubjectConfirmation element to be set equal to the NotOnOrAfter attribute of the Conditions element. I.e.:

<saml:SubjectConfirmationData NotOnOrAfter="2018-05-25T14:29:13Z"
                    Recipient="https://sa.test2.surfconext.nl/authentication/consume-assertion"
                    InResponseTo="_91fa0e322d7962354bce7e93f16cf538a60d6047e708b26e55f93d2807fd"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-05-25T14:24:13Z" NotOnOrAfter="2018-05-25T14:29:13Z">

This behaviour is the same as OpenConext engine.

phavekes commented 2 hours ago

PR: https://github.com/OpenConext/Stepup-Gateway/pull/161

Note: SubjectConfirmation has no NotBefore, but Conditions does have a NotBefore. The PR only does what\'s asked: SubjectConfirmation NotOnOrAfter equals the NotOnOrAfter of the assertion (Conditions), which is 5 minutes in the future. (Joris Steyn - May 30, 2018)

phavekes commented 2 hours ago 
@jorissteyn Yes, this is what I indended. Only change theNotOnOrAfter of the SubjectConfirmation and do not add a NotBefore. My reasoning is that this is exactly what OpenConext-engine does, and engine has had a much a wider exposure to the many SP implementations out there than the Stepup gateway. So it is all about compatibility. (Pieter van der Meulen - May 30, 2018)