Added a 'skew' to handle difference in time between IDP and SP
pipo1000 Aug 3, 2011 7:16 AMSometimes we suddenly got time assertion errors. This was because of the IDP running fast to the SP. This way the IDP generates an response with a notOnOrAfter which seems to be in to future according to the SP. I solved this by building a 'skew' so the SP accepts the response when it is off a little bit; I changed the AssertionUtil;
package org.picketlink.identity.federation.core.saml.v2.util; public static boolean hasExpired(AssertionType assertion) throws ConfigurationException { // Check for validity of assertion ConditionsType conditionsType = assertion.getConditions(); if (conditionsType != null) { XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant(); XMLGregorianCalendar notBefore = conditionsType.getNotBefore(); XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter(); if (trace) log.trace("InClaim Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter); try { DatatypeFactory df = DatatypeFactory.newInstance(); // 0 to 59 minutes skew, should be configurable! int skewInMinutes = 5; // move notBefore to the 'left' and notOnOrAfter to the 'right' Duration skew1 = df.newDuration(false, 0, 0, 0, 0, skewInMinutes, 0); notBefore.add(skew1); Duration skew2 = df.newDuration(true, 0, 0, 0, 0, skewInMinutes, 0); notOnOrAfter.add(skew2); } catch (DatatypeConfigurationException e) { // should not happen } if (trace) log.trace("AfterSkew Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + "::notOnOrAfter=" + notOnOrAfter); return !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter); } // TODO: if conditions do not exist, assume the assertion to be // everlasting? return false; }
I hope you can add this change to the trunk ?
Kind regards,
Edwin