Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12161

Expires attribute in WS-Fed Active Requestor Profile is expected but is optional


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1
    • Fix Version/s: 13.5.3, 6.0.0, 5.5.2
    • Component/s: WS Federation
    • Labels:
    • Environment:
      Skype for Business for Android authenticating to OpenAM via the WS-Fed active profile
    • Sprint:
      AM Sustaining Sprint 45
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Skype for Business for Android is unable to authenticate to OpenAM via the WS-Fed active profile as it is missing the Expires attribute in the request.

      Reported Error

      An error occurred while processing the Active Request org.forgerock.openam.wsfederation.common.ActiveRequestorException: Unable to find Expires element with http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd namespace

      Reproduction Steps

      1. Set up Office 365 with Modern Authentication disabled and OpenAM as the Federated authentication IDP using WS-Fed
      2. Download Skype for Business for Android client
      3. Attempt to authenticate with a valid Skype account

      Work around



      Expires is optional as-per the XSD http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

      <xsd:element ref="wsu:Expires" minOccurs="0"/>

      and as discussed in https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717127


      This element represents the expiration of the security semantics.  This is optional, but can appear at most once in a <wsu:Timestamp> element.  Upon expiration, the requestor asserts that its security semantics are no longer valid. It is strongly RECOMMENDED that recipients (anyone who processes this message) discard (ignore) any message whose security semantics have passed their expiration. A Fault code (wsu:MessageExpired) is provided if the recipient wants to inform the requestor that its security semantics were expired. A service MAY issue a Fault indicating the security semantics have expired.

      Code analysis

      In com.sun.identity.wsfederation.servlet.ActiveRequest#extractSecurityDetails, don't fail if the Expires attribute is missing.




            • Assignee:
              markdr Mark de Reeper
              markdr Mark de Reeper
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: