Merge pull request #979 from Wittev1/feature/allowed-assertion-offset

Create a setting for the allowed assertion offset

Merge pull request #979 from Wittev1/feature/allowed-assertion-offset
Create a setting for the allowed assertion offset
9a2786d8 · Jaime Pérez Crespo · GitHub · 0e0f34f0 · f2c960fd · 9a2786d8
Unverified Commit 9a2786d8 authored 6 years ago by Jaime Pérez Crespo Committed by GitHub 6 years ago
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -176,6 +176,16 @@ $config = [
     */
    'enable.http_post' => false,

+    /*
+     * Set the allowed clock skew between encrypting/decrypting assertions
+     *
+     * If you have an server that is constantly out of sync, this option
+     * allows you to adjust the allowed clock-skew.
+     *
+     * Allowed range: 180 - 300
+     * Defaults to 180.
+     */
+    'assertion.allowed_clock_skew' => 180,


    /************************

--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -646,20 +646,30 @@ class Message
        $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();

        // check various properties of the assertion
+        $config = \SimpleSAML\Configuration::getInstance();
+        $allowed_clock_skew = $config->getInteger('assertion.allowed_clock_skew', 180);
+        $options = [
+            'options' => [
+                'default' => 180,
+                'min_range' => 180,
+                'max_range' => 300,
+            ],
+        ];
+        $allowed_clock_skew = filter_var($allowed_clock_skew, FILTER_VALIDATE_INT, $options);
        $notBefore = $assertion->getNotBefore();
-        if ($notBefore !== null && $notBefore > time() + 60) {
+        if ($notBefore !== null && $notBefore > time() + $allowed_clock_skew) {
            throw new \SimpleSAML\Error\Exception(
                'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
            );
        }
        $notOnOrAfter = $assertion->getNotOnOrAfter();
-        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - 60) {
+        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_clock_skew) {
            throw new \SimpleSAML\Error\Exception(
                'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
            );
        }
        $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
-        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - 60) {
+        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_clock_skew) {
            throw new \SimpleSAML\Error\Exception(
                'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
            );