4 Replies Latest reply: Dec 16, 2010 10:05 PM by Andrew Oliver RSS

time sync issue

Andrew Oliver Master

at the top of a saml request you have

 

<samlp:Response ID="_f92000e0-5d5b-4211-b071-9647a4f60495" Version="2.0" IssueInstant="2010-12-15T17:05:10.422Z"

(not from the same request/response as the log message below)

 

in the saml body you have

 

<Conditions NotBefore="2010-12-15T17:05:10.419Z" NotOnOrAfter="2010-12-15T18:05:10.419Z">

 

If the SP has a time that is slightly off from the IDP:

 

2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http

08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Now=2010-

12-16T14:36:29.113-06:00 ::notBefore=2010-12-16

0.147Z::notOnOrAfter=2010-12-16T21:36:30.147Z^M

2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-appserver%2F10.2.184.209-8443-1) Now=2010-12-16T14:36:29.113-06:00 ::notBefore=2010-12-16T20:36:30.147Z::notOnOrAfter=2010-12-16T21:36:30.147Z^M

 

then you get this:

 

2010-12-16 14:36:29,113 TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator] (h

ttp-webeval08.dev-we.dev-dirsrv.com%2F10.2.184.209-8443-1) Server Exception:^M

org.picketlink.identity.federation.core.exceptions.ProcessingException: Assertion has expired^M

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

ler.handleSAMLResponse(SAML2AuthenticationHandler.java:364)^M

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

ler.handleStatusResponseType(SAML2AuthenticationHandler.java:308)^M

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponse

Type(SAML2AuthenticationHandler.java:114)^M

        at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandler

ChainProcessor.java:74)^M

        at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServicePr

oviderSAMLResponseProcessor.java:164)^M

        at org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator.authenticate(SPPostForm

Authenticator.java:198)^M

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)^M

        at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:151)^M

        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)^M

        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentV

alve.java:126)^M

        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentVa

lve.java:70)^M

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)^M

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)^M

        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)^M

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)^M

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)^M

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)^M

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)^M

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)^M

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)^M

        at java.lang.Thread.run(Thread.java:619)^M

Caused by: org.picketlink.identity.federation.core.saml.v2.exceptions.AssertionExpiredException^M

        at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHand

ler.handleSAMLResponse(SAML2AuthenticationHandler.java:363)^M

        ... 20 more^M

 

which comes down to:

 

($ vi ../1.0.4.final/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/saml/v2/util/XMLTimeUtil.java)

"

   public static boolean isValid(XMLGregorianCalendar now,

         XMLGregorianCalendar notbefore, XMLGregorianCalendar notOnOrAfter)

   {

      if(notbefore == null)

         throw new IllegalArgumentException("notbefore argument is null");

      if(notOnOrAfter == null)

         throw new IllegalArgumentException("notOnOrAfter argument is null");

 

      int val = notbefore.compare(now);

 

      if(val == DatatypeConstants.INDETERMINATE || val == DatatypeConstants.GREATER)

        return false;

 

      val = notOnOrAfter.compare(now);

      if(val != DatatypeConstants.GREATER)

         return false;

      return true;

   }

"

 

It seems reasonable to me to configure a clock skew based on the issueinstant and change the comparison by the difference between NOW and issueinstant.  If IssueInstant is 2s > NOW then NotBefore should be adjusted 2 seconds. 

 

Discussion:

http://shibboleth.1660669.n2.nabble.com/SAML-Assertion-Condition-NotBefore-problem-td5581560.html

http://issues.connectopensource.org/browse/GATEWAY-306

 

I'll file a jira...what do you think about this clockskew fun?