4 Replies Latest reply: Dec 16, 2010 10:05 PM by Andrew Oliver RSS

    time sync issue

    Andrew Oliver Master

      at the top of a saml request you have

       

      <samlp:Response ID="_f92000e0-5d5b-4211-b071-9647a4f60495" Version="2.0" IssueInstant="2010-12-15T17:05:10.422Z"

      (not from the same request/response as the log message below)

       

      in the saml body you have

       

      <Conditions NotBefore="2010-12-15T17:05:10.419Z" NotOnOrAfter="2010-12-15T18:05:10.419Z">

       

      If the SP has a time that is slightly off from the IDP:

       

      2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http

      08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Now=2010-

      12-16T14:36:29.113-06:00 ::notBefore=2010-12-16

      0.147Z::notOnOrAfter=2010-12-16T21:36:30.147Z^M

      2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-appserver%2F10.2.184.209-8443-1) Now=2010-12-16T14:36:29.113-06:00 ::notBefore=2010-12-16T20:36:30.147Z::notOnOrAfter=2010-12-16T21:36:30.147Z^M

       

      then you get this:

       

      2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator] (h

      ttp-webeval08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Server Exception:^M

      org.picketlink.identity.federation.core.exceptions.ProcessingException: Assertion has expired^M

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

      ler.handleSAMLResponse(SAML2AuthenticationHandler.java:364)^M

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

      ler.handleStatusResponseType(SAML2AuthenticationHandler.java:308)^M

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponse

      Type(SAML2AuthenticationHandler.java:114)^M

              at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandler

      ChainProcessor.java:74)^M

              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServicePr

      oviderSAMLResponseProcessor.java:164)^M

              at org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator.authenticate(SPPostForm

      Authenticator.java:198)^M

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)^M

              at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:151)^M

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)^M

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentV

      alve.java:126)^M

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentVa

      lve.java:70)^M

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)^M

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)^M

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)^M

              at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)^M

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)^M

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)^M

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)^M

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)^M

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)^M

              at java.lang.Thread.run(Thread.java:619)^M

      Caused by: org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException^M

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

      ler.handleSAMLResponse(SAML2AuthenticationHandler.java:363)^M

              ... 20 more^M

       

      which comes down to:

       

      ($ vi ../1.0.4.final/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/XMLTimeUtil.java)

      "

         public static boolean isValid(XMLGregorianCalendar now,

               XMLGregorianCalendar notbefore, XMLGregorianCalendar notOnOrAfter)

         {

            if(notbefore == null)

               throw new IllegalArgumentException("notbefore argument is null");

            if(notOnOrAfter == null)

               throw new IllegalArgumentException("notOnOrAfter argument is null");

       

            int val = notbefore.compare(now);

       

            if(val == DatatypeConstants.INDETERMINATE || val == DatatypeConstants.GREATER)

              return false;

       

            val = notOnOrAfter.compare(now);

            if(val != DatatypeConstants.GREATER)

               return false;

            return true;

         }

      "

       

      It seems reasonable to me to configure a clock skew based on the issueinstant and change the comparison by the difference between NOW and issueinstant.  If IssueInstant is 2s > NOW then NotBefore should be adjusted 2 seconds. 

       

      Discussion:

      http://shibboleth.1660669.n2.nabble.com/SAML-Assertion-Condition-NotBefore-problem-td5581560.html

      http://issues.connectopensource.org/browse/GATEWAY-306

       

      I'll file a jira...what do you think about this clockskew fun?