3 Replies Latest reply on Aug 10, 2011 10:49 AM by anil.saldhana

    Added a 'skew' to handle difference in time between IDP and SP

    pipo1000

      Sometimes we suddenly got time assertion errors. This was because of the IDP running fast to the SP. This way the IDP generates an response with a notOnOrAfter which seems to be in to future according to the SP. I solved this by building a 'skew' so the SP accepts the response when it is off a little bit; I changed the AssertionUtil;

       

       

      package org.picketlink.identity.federation.core.saml.v2.util;
      
      public static boolean hasExpired(AssertionType assertion) throws ConfigurationException {
              // Check for validity of assertion
              ConditionsType conditionsType = assertion.getConditions();
              if (conditionsType != null) 
              {
                  XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
                  XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
                  XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
      
                  if (trace) log.trace("InClaim Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter);
      
                  try 
                  {
                      DatatypeFactory df = DatatypeFactory.newInstance();
      
                      // 0 to 59 minutes skew, should be configurable!
                      int skewInMinutes = 5;
      
                      // move notBefore to the 'left' and notOnOrAfter to the 'right'
                      Duration skew1 = df.newDuration(false, 0, 0, 0, 0, skewInMinutes, 0);
                      notBefore.add(skew1);
      
                      Duration skew2 = df.newDuration(true, 0, 0, 0, 0, skewInMinutes, 0);
                      notOnOrAfter.add(skew2);
      
                  } catch (DatatypeConfigurationException e) 
                  {
                      // should not happen
                  }
      
                  if (trace) log.trace("AfterSkew Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter);
      
                  return !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter);
              }
              // TODO: if conditions do not exist, assume the assertion to be
              // everlasting?
              return false;
          }
      

       

      I hope you can add this change to the trunk ?

       

      Kind regards,

       

      Edwin