Azure B2C IdP Assertion failure due to timestamp parsing

[sujeshmenon]

Hi,

We are running into an assertion response issue from Azure B2C IdP in the ACS process_response. We get an _['invalidresponse'] exception with the following error: time data '2021-07-22T16:52:26.7628553Z' does not match format '%Y-%m-%dT%H:%M:%S.%fZ'.

Looking at the python3-saml assertion validation, the error is from parsing of the SAML2 timestamp of the SubjectConfirmationData in the response as seen here.

<saml:SubjectConfirmationData NotOnOrAfter="2021-07-22T16:39:53.0743956Z" ...>

This is because the time format as specified in the validation only accepts 6 digits for the microseconds using the %f specifier.

Can the timestamp parsing be fixed as it prevents our move to using Azure B2C as an IdP?!

Thanks in advance!

[pitbulk]

The datetime 2021-07-22T16:39:53.0743956Z will be parsed by the regex

try:
            data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT)
        except ValueError:
            try:
                data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT_2)
            except ValueError:
                elem = OneLogin_Saml2_Utils.TIME_FORMAT_WITH_FRAGMENT.match(timestr)
                if not elem:
                    raise Exception("time data %s does not match format %s" % (timestr, r'yyyy-mm-ddThh:mm:ss(\.s+)?Z'))
                data = datetime.strptime(elem.groups()[0] + "Z", OneLogin_Saml2_Utils.TIME_FORMAT)

As you see the TIME_FORMAT_WITH_FRAGMENT = re.compile(r'^(\d{4,4}-\d{2,2}-\d{2,2}T\d{2,2}:\d{2,2}:\d{2,2})(.\d*)?Z?$') matches the datetime, so it should be parsed properly.

[sujeshmenon]

Thanks @pitbulk. We were using python3-saml version earlier than v1.9.0. Upgraded to v1.9.0 and it works fine.

Closing this issue. Thanks!