Skip to content
Snippets Groups Projects
Commit f2c960fd authored by Jelle Witteveen's avatar Jelle Witteveen
Browse files

Renamed variable and changed range to be SAML2INT compliant

parent 77308f6a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
config-templates/config.php
+ 5
4
View file @ f2c960fd
...@@ -177,14 +177,15 @@ $config = [ ...@@ -177,14 +177,15 @@ $config = [
'enable.http_post' => false, 'enable.http_post' => false,
/* /*
* Set the allowed time difference between encrypting/decrypting assertions * Set the allowed clock skew between encrypting/decrypting assertions
* *
* If you have an server that is constantly out of sync, this option * If you have an server that is constantly out of sync, this option
* allows you to adjust the allowed time-frame. * allows you to adjust the allowed clock-skew.
* *
* Defaults to 60. * Allowed range: 180 - 300
* Defaults to 180.
*/ */
'assertion.allowed_offset' => 60, 'assertion.allowed_clock_skew' => 180,
/************************ /************************
......
modules/saml/lib/Message.php
+ 7
8
View file @ f2c960fd
...@@ -657,30 +657,29 @@ class Message ...@@ -657,30 +657,29 @@ class Message
// check various properties of the assertion // check various properties of the assertion
$config = \SimpleSAML\Configuration::getInstance(); $config = \SimpleSAML\Configuration::getInstance();
$allowed_assertion_offset = $config->getInteger('assertion.allowed_offset', 60); $allowed_clock_skew = $config->getInteger('assertion.allowed_clock_skew', 180);
$options = [ $options = [
'options' => [ 'options' => [
'default' => 60, // value to return if the filter fails 'default' => 180,
// other options here 'min_range' => 180,
'min_range' => 0,
'max_range' => 300, 'max_range' => 300,
], ],
]; ];
$allowed_assertion_offset = filter_var($allowed_assertion_offset, FILTER_VALIDATE_INT, $options); $allowed_clock_skew = filter_var($allowed_clock_skew, FILTER_VALIDATE_INT, $options);
$notBefore = $assertion->getNotBefore(); $notBefore = $assertion->getNotBefore();
if ($notBefore !== null && $notBefore > time() + $allowed_assertion_offset) { if ($notBefore !== null && $notBefore > time() + $allowed_clock_skew) {
throw new \SimpleSAML\Error\Exception( throw new \SimpleSAML\Error\Exception(
'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.' 'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
); );
} }
$notOnOrAfter = $assertion->getNotOnOrAfter(); $notOnOrAfter = $assertion->getNotOnOrAfter();
if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_assertion_offset) { if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_clock_skew) {
throw new \SimpleSAML\Error\Exception( throw new \SimpleSAML\Error\Exception(
'Received an assertion that has expired. Check clock synchronization on IdP and SP.' 'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
); );
} }
$sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter(); $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_assertion_offset) { if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_clock_skew) {
throw new \SimpleSAML\Error\Exception( throw new \SimpleSAML\Error\Exception(
'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.' 'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
); );
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment