From efca75e324170e5dda4eb47b87c844dc705653bd Mon Sep 17 00:00:00 2001
From: Jelle Witteveen <jelle@wittev1.com>
Date: Wed, 7 Nov 2018 14:42:16 +0100
Subject: [PATCH] Create a setting for the allowed assertion offset

---
 config-templates/config.php  | 9 +++++++++
 modules/saml/lib/Message.php | 8 +++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index ac9b800f2..d06fc81b2 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -176,6 +176,15 @@ $config = [
      */
     'enable.http_post' => false,
 
+    /*
+     * Set the allowed time difference between encrypting/decrypting assertions
+     *
+     * If you have an server that is constantly out of sync, this option
+     * allows you to adjust the allowed time-frame.
+     *
+     * Defaults to 60.
+     */
+    'assertion.allowed_offset' => 60,
 
 
     /************************
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 1af7164e8..cda90f176 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -656,20 +656,22 @@ class Message
         $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
 
         // check various properties of the assertion
+        $config = \SimpleSAML\Configuration::getInstance();
+        $allowed_assertion_offset = $config->getInteger('assertion.allowed_offset', 60);
         $notBefore = $assertion->getNotBefore();
-        if ($notBefore !== null && $notBefore > time() + 60) {
+        if ($notBefore !== null && $notBefore > time() + $allowed_assertion_offset) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
             );
         }
         $notOnOrAfter = $assertion->getNotOnOrAfter();
-        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - 60) {
+        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_assertion_offset) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
             );
         }
         $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
-        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - 60) {
+        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_assertion_offset) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
             );
-- 
GitLab