Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10191

Add Skew to NotOnOrAfter and NotBefore Assertion Conditions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.4, 13.5.1, 14.0.0
    • Fix Version/s: 6.0.0, 14.1.2, 5.5.2
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 47
    • Story Points:
      4
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      With the implementation of OPENAM-5640, Hosted SPs now validate NotOnOrAfter and NotBefore assertion conditions, but time skew is not applied.

      Skew can be applied on the IDP for the NotBefore, but if the end user does not have access to the IDP and the IDP and SP system clocks are not in sync, assertion validation will fail if the IDP issues an assertion NotBefore condition with a system time that is advance from actual current time.

      Hosted SPs have "Assertion Time Skew" but this only applies to Assertion SubjectConfirmation, but not Assertion Conditions.

      Option 1: Have the SubjectConfirmation Time Skew apply to the NotOnOrAfter and NotBefore Assertion Conditions.

      Option 2: Create a second Time Skew value for Assertion Conditions.

      Either way, we should change the console dialog from "Is in seconds. This is the skew time for NotBefore attributes in assertion" to note that it does or does not apply to Assertion Conditions along with SubjectConfirmation.

      This is related to OPENAM-5639

        Attachments

          Activity

            People

            • Assignee:
              sfraser Sam Fraser
              Reporter:
              sfraser Sam Fraser
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: