Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10191

Add Skew to NotOnOrAfter and NotBefore Assertion Conditions

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 12.0.4, 13.5.1, 14.0.0
    • 6.0.0, 14.1.2, 5.5.2
    • None
    • AM Sustaining Sprint 47
    • 4
    • No
    • No
    • No
    • Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      With the implementation of OPENAM-5640, Hosted SPs now validate NotOnOrAfter and NotBefore assertion conditions, but time skew is not applied.

      Skew can be applied on the IDP for the NotBefore, but if the end user does not have access to the IDP and the IDP and SP system clocks are not in sync, assertion validation will fail if the IDP issues an assertion NotBefore condition with a system time that is advance from actual current time.

      Hosted SPs have "Assertion Time Skew" but this only applies to Assertion SubjectConfirmation, but not Assertion Conditions.

      Option 1: Have the SubjectConfirmation Time Skew apply to the NotOnOrAfter and NotBefore Assertion Conditions.

      Option 2: Create a second Time Skew value for Assertion Conditions.

      Either way, we should change the console dialog from "Is in seconds. This is the skew time for NotBefore attributes in assertion" to note that it does or does not apply to Assertion Conditions along with SubjectConfirmation.

      This is related to OPENAM-5639

        Attachments

          Activity

            People

            sfraser Sam Fraser
            sfraser Sam Fraser
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: