Announcement Announcement Module
Collapse
No announcement yet.
Using different version of SAML 1.0.0.RC2 than source code makes me believe Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using different version of SAML 1.0.0.RC2 than source code makes me believe

    I tried this both using maven and adding the jar file to the class path manually.

    The problem occurs when trying to use sso with a local sp that is not synchronised, but only a few seconds behind in time. Normallythis shouldnt be a problem as by default the WebSSOProfileConsumerImpl bean allows for a time difference of 60 seconds. However this seems to not be the case, and I get an error message.

    org.opensaml.common.SAMLException: SAML response is not valid
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertionConditions(WebSSOP rofileConsumerImpl.java:344)
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertion(WebSSOProfileCons umerImpl.java:220)
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.processAuthenticationResponse(Web SSOProfileConsumerImpl.java:167)
    at org.springframework.security.saml.SAMLAuthenticati onProvider.authenticate(SAMLAuthenticationProvider .java:97)
    at org.springframework.security.authentication.Provid erManager.authenticate(ProviderManager.java:156)
    ...

    and the following is logged

    "DEBUG ork.security.saml.websso.WebSSOProfileConsumerImpl - Assertion is not yet valid, invalidated by condition notBefore
    DEBUG framework.security.saml.SAMLAuthenticationProvider - Error validating message"


    If I synchronise the SP i do not get this exception, but I do need sso to work on slightly unsynchronised SP.

    The weird thing is that when debugging I noticed that it does not follow the source code. The method verifyAssertionConditions seems to not take into account the responseskew property, unlike whats shown in the sourcecode. Also shouldnt the logged "Assertion is not yet valid, invalidated by condition notBefore" message be followed by a time?

    I have the feeling that the library I am using right now is not what it should be.
Working...
X