time sync issue
acoliver Dec 16, 2010 4:26 PMat the top of a saml request you have
<samlp:Response ID="_f92000e0-5d5b-4211-b071-9647a4f60495" Version="2.0" IssueInstant="2010-12-15T17:05:10.422Z"
(not from the same request/response as the log message below)
in the saml body you have
<Conditions NotBefore="2010-12-15T17:05:10.419Z" NotOnOrAfter="2010-12-15T18:05:10.419Z">
If the SP has a time that is slightly off from the IDP:
08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Now=2010-
12-16T14:36:29.113-06:00 ::notBefore=2010-12-16
2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-appserver%2F10.2.184.209-8443-1) Now=2010-12-16T14:36:29.113-06:00 ::notBefore=2010-12-16T20:36:30.147Z::notOnOrAfter=2010-12-16T21:36:30.147Z^M
then you get this:
2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator] (h
ttp-webeval08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Server Exception:^M
org.picketlink.identity.federation.core.exceptions.ProcessingException: Assertion has expired^M
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand
ler.handleSAMLResponse(SAML2AuthenticationHandler.java:364)^M
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand
ler.handleStatusResponseType(SAML2AuthenticationHandler.java:308)^M
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponse
Type(SAML2AuthenticationHandler.java:114)^M
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandler
ChainProcessor.java:74)^M
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServicePr
oviderSAMLResponseProcessor.java:164)^M
at org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator.authenticate(SPPostForm
Authenticator.java:198)^M
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)^M
at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:151)^M
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)^M
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentV
alve.java:126)^M
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentVa
lve.java:70)^M
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)^M
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)^M
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)^M
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)^M
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)^M
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)^M
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)^M
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)^M
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)^M
at java.lang.Thread.run(Thread.java:619)^M
Caused by: org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException^M
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand
ler.handleSAMLResponse(SAML2AuthenticationHandler.java:363)^M
... 20 more^M
which comes down to:
($ vi ../1.0.4.final/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/XMLTimeUtil.java)
"
public static boolean isValid(XMLGregorianCalendar now,
XMLGregorianCalendar notbefore, XMLGregorianCalendar notOnOrAfter)
{
if(notbefore == null)
throw new IllegalArgumentException("notbefore argument is null");
if(notOnOrAfter == null)
throw new IllegalArgumentException("notOnOrAfter argument is null");
int val = notbefore.compare(now);
if(val == DatatypeConstants.INDETERMINATE || val == DatatypeConstants.GREATER)
return false;
val = notOnOrAfter.compare(now);
if(val != DatatypeConstants.GREATER)
return false;
return true;
}
"
It seems reasonable to me to configure a clock skew based on the issueinstant and change the comparison by the difference between NOW and issueinstant. If IssueInstant is 2s > NOW then NotBefore should be adjusted 2 seconds.
Discussion:
http://shibboleth.1660669.n2.nabble.com/SAML-Assertion-Condition-NotBefore-problem-td5581560.html
http://issues.connectopensource.org/browse/GATEWAY-306
I'll file a jira...what do you think about this clockskew fun?