Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.0.1
    • Fix Version/s: 9.0.0
    • Component/s: None
    • Labels:
      None

      Description

      In order to do a better SAML replay we need to add options to SAML clients to override the default realm expiration times.

      Currently there are three elements that contains time constraints:

      1. The SubjectConfirmationData inside the subject:

      <saml:SubjectConfirmationData InResponseTo="XXXX" NotOnOrAfter="2019-11-11T11:45:18.752Z" Recipient="YYY"/>
      

      This is obtained from the realm access token lifespan.

      2. The constraints inside the conditions:

      <saml:Conditions NotBefore="2019-11-11T11:35:18.752Z" NotOnOrAfter="2019-11-11T11:45:18.752Z">
          <saml:AudienceRestriction>
            <saml:Audience>https://...</saml:Audience>
          </saml:AudienceRestriction>
        </saml:Conditions>
      

      This lifespan is got from the realm Access Code Lifespan.

      3. The session lifespan:

      <saml:AuthnStatement AuthnInstant="2019-11-11T11:35:20.764Z" SessionIndex="XXX" SessionNotOnOrAfter="2019-11-11T21:35:20.764Z">
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>
      

      This value if got from the realm SSO Session Max Lifespan.

      Everything is set at the SamlProtocol.java. I think that at least the first two should be added to client to override default values.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                rhn-support-rmartinc Ricardo Martin Camarero
                Reporter:
                rhn-support-rmartinc Ricardo Martin Camarero
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: