I am looking for a way to increase the expiration time of my saml messages. I use Spring Security with SAML 1.0.0-RC2.
At this moment, if the servers** time are too different, e.g. 5 minutes, I got following error:
HTTP Status 401 - Authentication Failed:Error validating SAML message: SAML response is not valid; nested exception is org.opensaml.common.SAMLException: SAML response is not valid
I want to set the expiration time to 10 minutes, to prevent those errors. I have been looking at the documentation, but I don't understand how to change the expiration time. If I look at the Configuration authentication object section, one would be able to change the expiration time but I fail to grasp the idea.
Could somebody help me out?
** My server (SP) and server of the customer (IDP, most likely a server with ADFS installed).
After Stefan's anwser, I knew where to look! Actually the docs did describe this thing, I just didn't pick it up: 10.3 Validity intervals. Cheers to Stefan for pointing out the responseSkew property!
Just add the property responseSkew to the WebSSOProfileConsumerImpl and SingleLogoutProfileImpl beans:
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<property name="responseSkew" value="600"/> <!-- 10 minutes -->
</bean>
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl">
<property name="responseSkew" value="600"/> <!-- 10 minutes -->
</bean>
Looks like the allowed time differance is hard coded.
See this source file look at the constant responseSkew. The default is 60 sec.
I think your best option here is to try to set the same time on the servers.
I know, the answer has been chosen, but I am sharing resolution which I have found for anyone working with Grails 3, spring security core, SAML 2.0.
I had to setmaxAssertionTime value along with responseSkew for WebSSOProfileConsumerImpl to be able to get the response back from the IDP.
来源:https://stackoverflow.com/questions/25647925/spring-security-saml-time-difference-between-sp-and-idp