Spring security SAML assertion expired

Question

How and when is the Service Provider(Spring Security SAML) validating if the assertion is out of date? I have a Service Provider created and configured in an webbapplication. My Identity Provider is ADFS 2.0 authenticates and returns a SAML-response with an assertion. This assertion has a "Condition" with the flags "NotBefore" and "NotOnOrAfter". As of now my assertion is valid for 1min.

When I am authenticated, my client-session is valid for 10 min. This means that my assertion will expire while the client-session is still valid. Should the Service Provider detect that my Assertion has expired and therefore ask the IDP to reauthenticate? What am I missing?

score 0 · Answer 1 · answered Oct 26 '15 at 12:29

I faced your same problem and still investigating on it. It seems a different time between sp and isp. You can test it extending WebSSOProfileConsumerImpl, implementing verifyAssertion method.Here it the code commented:

@Override
protected void verifyAssertion(Assertion assertion, AuthnRequest request,   SAMLMessageContext context) throws AuthenticationException, SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException {

    /*// Verify storage time skew
    if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) {
        throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant());
    }*/

    // Verify validity of storage
    // Advice is ignored, core 574
    verifyIssuer(assertion.getIssuer(), context);
    verifyAssertionSignature(assertion.getSignature(), context);

    // Check subject
    if (assertion.getSubject() != null) {
        verifySubject(assertion.getSubject(), request, context);
    } else {
        throw new SAMLException("Assertion does not contain subject and is discarded");
    }

    // Assertion with authentication statement must contain audience restriction
    if (assertion.getAuthnStatements().size() > 0) {
        //verifyAssertionConditions(assertion.getConditions(), context, true);
        for (AuthnStatement statement : assertion.getAuthnStatements()) {
            if (request != null) {
                verifyAuthenticationStatement(statement, request.getRequestedAuthnContext(), context);
            } else {
                verifyAuthenticationStatement(statement, null, context);
            }
        }
    } else {
        verifyAssertionConditions(assertion.getConditions(), context, false);
    }

}

Hmm I still don't understand. If I authenticate and wait for about 5 minutes. My assertion will be invalid but my client-session is valid. If I refresh the webpage in the browser shouldn't the method verifyAssertion be triggered then? — Robert, Oct 26 '15 at 13:25
I guess, but I am not sure, you need to login again if the server expires your auth. Maybe 1 minute is the time the server retain your authentication. You could see your Session validity in the index page of spring saml after you just login. — Antonio, Oct 26 '15 at 14:20

Spring security SAML assertion expired

1 Answers1