SES-134: SubjectConfirmationData may be omitted from SubjectConfirmation if NotOnOrAfter attribute is present in Conditions

[spring-projects-issues]

Martin Riedel (Migrated from SES-134) said:

This case is not handled correctly in the current spring-saml implementation. Attached Assertion results in a 401 - "Error validating SAML message"

See: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-09

"[...] The element MUST contain a

element, unless the Assertion has a suitable NotOnOrAfter attribute on the element, in which case the element MAY be omitted. [...]" Current Problem is in org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifySubject(Subject, AuthnRequest, SAMLMessageContext): ``` // Bearer must have confirmation saml-profiles-2.0-os 554 if (data == null) { log.debug("Bearer SubjectConfirmation invalidated by missing confirmation data"); continue; } ``` Cheers

[spring-projects-issues]

Vladimir Schäfer said:

The standard you refer to describes usage of SAML tokens presented to OAuth 2.0 Authorization Servers. This software implements SAML 2.0 Web SSO Service Provider profile which is a different thing. Both of these standards employ SAML tokens, but the requirements on their content differs. Please refer to http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf for details.