giacomini
commented
1 month ago 60 seconds is already a lot. I would rather post a message to the user saying to contact their IdP and ask to fix it.
Closed enricovianello closed 3 weeks ago
giacomini
commented
1 month ago 60 seconds is already a lot. I would rather post a message to the user saying to contact their IdP and ask to fix it.
enricovianello
commented
1 month ago Sure, in fact we did this. But it's just to allow administrators to bypass this problem until it's fixed. In case that is the unique endpoint it means no authenticated users until it's fixed.
giacomini
commented
1 month ago Well, there is a reason why the time is checked. I suggest to look at existing best practices and just adopt the approach recommended there (which may well be to make it configurable :-))
enricovianello
commented
4 weeks ago Our security team suggest 5 minutes. Also Kerberos at INFN side is using 5 minutes of response skew. To avoid similar issues in the future we can increase from 60 to 300 seconds (without make it configurable :-))
enricovianello
commented
3 weeks ago skew increased to 300 seconds by #780
We're experiencing problems like:
That's because the response skew is hardcoded to 60s and the remote provider is more than 60 seconds late:
We could add a configurable parameter and set it by adding something like:
at https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/config/saml/SamlConfig.java#L454