diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index a9245352b11f2b57229524b4997d71b964e2d6cc..5c8f59bbc529eaa9cb6599c961703c545630c2e4 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -645,7 +645,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
*
* @return AuthenticationResponse as string
*/
- public function generate($idpentityid, $spentityid, $inresponseto, $nameid, $attributes, $status = 'Success') {
+ public function generate($idpentityid, $spentityid, $inresponseto, $nameid, $attributes, $status = 'Success', $sessionDuration = 3600) {
/**
* Retrieving metadata for the two specific entity IDs.
@@ -663,8 +663,15 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
*/
$id = SimpleSAML_Utilities::generateID();
$issueInstant = SimpleSAML_Utilities::generateTimestamp();
- $assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);# 5 minutes
+
+ // 30 seconds timeskew back in time to allow differing clocks.
$notBefore = SimpleSAML_Utilities::generateTimestamp(time() - 30);
+ // How long is the timeframe which which the consumer may consume the assertion
+ $assertionExpire = SimpleSAML_Utilities::generateTimestamp(time() + 60 * 5);# 5 minutes
+ // What is the max time frame which the consumer is allowed to hold a securtity context valid.
+ $sessionExpire = SimpleSAML_Utilities::generateTimestamp(time() + $sessionDuration);
+
+
$assertionid = SimpleSAML_Utilities::generateID();
@@ -734,7 +741,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
Recipient="' . htmlspecialchars($destination) . '"/>
</saml:SubjectConfirmation>
</saml:Subject>
- <saml:Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="' . $assertionExpire. '">
+ <saml:Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="' . $sessionExpire. '">
<saml:AudienceRestriction>
<saml:Audience>' . htmlspecialchars($spentityid) . '</saml:Audience>
</saml:AudienceRestriction>
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index dccc5168538e067a59efeb90907472d835d4fe78..f2f4c091106e977fd1904e734853ff9ef7fa4263 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -250,7 +250,7 @@ if($needAuth && !$isPassive) {
* With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
*/
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
- $authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive');
+ $authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive', $config->getValue('session.duration', 3600) );
/* Sending the AuthNResponse using HTTP-Post SAML 2.0 binding. */
$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
@@ -315,7 +315,7 @@ if($needAuth && !$isPassive) {
* With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
*/
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
- $authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive');
+ $authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], $requestcache['RequestID'], NULL, NULL, 'NoPassive', $config->getValue('session.duration', 3600));
/* Sending the AuthNResponse using HTTP-Post SAML 2.0 binding. */
$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
@@ -342,7 +342,7 @@ if($needAuth && !$isPassive) {
// Generate an SAML 2.0 AuthNResponse message
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
- $authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestID, null, $attributes);
+ $authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestID, NULL, $attributes, 'Success', $config->getValue('session.duration', 3600));
// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);