Fix Conditions time validity to be session duration

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1395 44740490-163a-0410-bde0-09ae8108e29a

lib/SimpleSAML/XML/SAML20/AuthnResponse.php

@@ -645,7 +645,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 	 *
 	 *  @return AuthenticationResponse as string
 	 */
-	public function generate($idpentityid, $spentityid, $inresponseto, $nameid, $attributes, $status = 'Success') {
+	public function generate($idpentityid, $spentityid, $inresponseto, $nameid, $attributes, $status = 'Success', $sessionDuration = 3600) {
 		
 		/**
 		 * Retrieving metadata for the two specific entity IDs.
@@ -663,8 +663,15 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		 */
 		$id = SimpleSAML_Utilities::generateID();
 		$issueInstant = SimpleSAML_Utilities::generateTimestamp();
-		$assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);# 5 minutes
+		
+		// 30 seconds timeskew back in time to allow differing clocks.
 		$notBefore = SimpleSAML_Utilities::generateTimestamp(time() - 30);
+		// How long is the timeframe which which the consumer may consume the assertion
+		$assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);# 5 minutes
+		// What is the max time frame which the consumer is allowed to hold a securtity context valid.
+		$sessionExpire = SimpleSAML_Utilities::generateTimestamp(time() + $sessionDuration);
+
+
 
 		$assertionid = SimpleSAML_Utilities::generateID();
 
@@ -734,7 +741,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 					Recipient="' . htmlspecialchars($destination) . '"/>
 			</saml:SubjectConfirmation>
 		</saml:Subject>
-		<saml:Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="' . $assertionExpire. '">
+		<saml:Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="' . $sessionExpire. '">
             <saml:AudienceRestriction>
                 <saml:Audience>' . htmlspecialchars($spentityid) . '</saml:Audience>
             </saml:AudienceRestriction>

www/saml2/idp/SSOService.php

@@ -250,7 +250,7 @@ if($needAuth && !$isPassive) {
 		 * With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
 		 */
 		$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
-		$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive');
+		$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive', $config->getValue('session.duration', 3600) );
 
 		/* Sending the AuthNResponse using HTTP-Post SAML 2.0 binding. */
 		$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
@@ -315,7 +315,7 @@ if($needAuth && !$isPassive) {
 					 * With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
 					 */
 					$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
-					$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive');
+					$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive', $config->getValue('session.duration', 3600));
 
 					/* Sending the AuthNResponse using HTTP-Post SAML 2.0 binding. */
 					$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
@@ -342,7 +342,7 @@ if($needAuth && !$isPassive) {
 		
 		// Generate an SAML 2.0 AuthNResponse message
 		$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
-		$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestID, null, $attributes);
+		$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestID, NULL, $attributes, 'Success', $config->getValue('session.duration', 3600));
 	
 		// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
 		$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);