Is there an API in OpenSAML library to check expiration of SAML2 token?

Question

I am working with OpenSAML library to generate SAML2 tokens. I was under the impression that validation signature of the token will also check for its expiration which apparently is not the case. Is there an API provided by the library that I can use to check for the expiration? Like checkIfExpired() in the following code snippet:

public static boolean validateSignature(String token, Credential credential)
    {
       try {

        InputStream in = new ByteArrayInputStream(token.getBytes());
        Document inCommonMDDoc = ppMgr.parse(in);
        AssertionUnmarshaller unmarshaller = new AssertionUnmarshaller();
        Assertion assertion = (Assertion) unmarshaller
                .unmarshall(inCommonMDDoc.getDocumentElement());
        SignatureValidator validator = new SignatureValidator(credential);
        try {
            validator.validate(assertion.getSignature());

             return checkIfExpired(assertion) ; // -- Checks if assertion has expired and return true/false

        } catch (ValidationException e) {
            log.error("Invalid Signature", e);
            return false;
        }
    } catch (Exception e) {
        log.error("Unable to perform Signature Validation", e);

    }
}

NOTE: I want to avoid doing it manually if OpenSAML already has an API for it.

Stefan Rasmusson · Accepted Answer · 2013-05-24T09:12:32.803

4

The way to check if the assertion is expired is to check the conditions in the assertion. Something like this.

if (assertion.getConditions().getNotBefore() != null && assertion.getConditions().getNotBefore().isAfterNow()) {
    throw new ValidationException("Condition states that assertion is not yet valid (is the server time correct?)");
}

if (assertion.getConditions().getNotOnOrAfter() != null
                && (assertion.getConditions().getNotOnOrAfter().isBeforeNow() || assertion.getConditions().getNotOnOrAfter().isEqualNow())) {
    throw new ValidationException("Condition states that assertion is no longer valid (is the server time correct?)");
}

As far as I now there is no simpler method for doing this. The right way is probably to write a validator, maybe extend the ConditionsSpecValidator. This Validator does not bye itself validate all conditions

edited May 24 '13 at 09:12

answered May 24 '13 at 07:29

Stefan Rasmusson

5,445
3
21
48

Thanks Stefan.This is useful. Since it is a common enough use case I wish they incorporated it in their standard API. – nadirsaghar May 24 '13 at 16:20
Yes, as I said they have a ConditionsSpecValidator but it seem incomplete. I will send them a mail on their mailing list and see what they say. It seems strange to release a validator that lacks something so vital. – Stefan Rasmusson May 24 '13 at 20:26
1

I have been in contact with the dev team and it seams they have removed the validators alltogether in later releases. here is the mail thread http://marc.info/?t=137354098500007&r=1&w=2 – Stefan Rasmusson Jul 16 '13 at 14:14

Is there an API in OpenSAML library to check expiration of SAML2 token?

1 Answers1