From f2c960fd459c87f2d1b4726a19dd740a9740477d Mon Sep 17 00:00:00 2001
From: Jelle Witteveen <jelle@wittev1.com>
Date: Mon, 12 Nov 2018 14:23:11 +0100
Subject: [PATCH] Renamed variable and changed range to be SAML2INT compliant

---
 config-templates/config.php  |  9 +++++----
 modules/saml/lib/Message.php | 15 +++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index d06fc81b2..7e5471b8e 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -177,14 +177,15 @@ $config = [
     'enable.http_post' => false,
 
     /*
-     * Set the allowed time difference between encrypting/decrypting assertions
+     * Set the allowed clock skew between encrypting/decrypting assertions
      *
      * If you have an server that is constantly out of sync, this option
-     * allows you to adjust the allowed time-frame.
+     * allows you to adjust the allowed clock-skew.
      *
-     * Defaults to 60.
+     * Allowed range: 180 - 300
+     * Defaults to 180.
      */
-    'assertion.allowed_offset' => 60,
+    'assertion.allowed_clock_skew' => 180,
 
 
     /************************
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 3d79a417a..a947cee03 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -657,30 +657,29 @@ class Message
 
         // check various properties of the assertion
         $config = \SimpleSAML\Configuration::getInstance();
-        $allowed_assertion_offset = $config->getInteger('assertion.allowed_offset', 60);
+        $allowed_clock_skew = $config->getInteger('assertion.allowed_clock_skew', 180);
         $options = [
             'options' => [
-                'default' => 60, // value to return if the filter fails
-                // other options here
-                'min_range' => 0,
+                'default' => 180,
+                'min_range' => 180,
                 'max_range' => 300,
             ],
         ];
-        $allowed_assertion_offset = filter_var($allowed_assertion_offset, FILTER_VALIDATE_INT, $options);
+        $allowed_clock_skew = filter_var($allowed_clock_skew, FILTER_VALIDATE_INT, $options);
         $notBefore = $assertion->getNotBefore();
-        if ($notBefore !== null && $notBefore > time() + $allowed_assertion_offset) {
+        if ($notBefore !== null && $notBefore > time() + $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
             );
         }
         $notOnOrAfter = $assertion->getNotOnOrAfter();
-        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_assertion_offset) {
+        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
             );
         }
         $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
-        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_assertion_offset) {
+        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
             );
-- 
GitLab