Closed enricovianello closed 3 weeks ago
60 seconds is already a lot. I would rather post a message to the user saying to contact their IdP and ask to fix it.
Sure, in fact we did this. But it's just to allow administrators to bypass this problem until it's fixed. In case that is the unique endpoint it means no authenticated users until it's fixed.
Well, there is a reason why the time is checked. I suggest to look at existing best practices and just adopt the approach recommended there (which may well be to make it configurable :-))
Our security team suggest 5 minutes. Also Kerberos at INFN side is using 5 minutes of response skew. To avoid similar issues in the future we can increase from 60 to 300 seconds (without make it configurable :-))
skew increased to 300 seconds by #780
We're experiencing problems like:
That's because the response skew is hardcoded to 60s and the remote provider is more than 60 seconds late:
We could add a configurable parameter and set it by adding something like:
at https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java#L454