[NXP-24766] Introduce clock skew in SAML authenticator - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 10.3
Component/s: SAML

Tags:
Upgrade notes:

Hide

This introduces a new nuxeo.saml2.skewTimeMs configuration property to control the clock skew in milliseconds. Default value is 60 * 1000 (1 minute).

Show
This introduces a new nuxeo.saml2.skewTimeMs configuration property to control the clock skew in milliseconds. Default value is 60 * 1000 (1 minute).
Sprint:
nxNS Sprint 10.3.1
Story Points:
3

Description

Since SAML IdP and SP clocks can sometimes be out of sync time based conditions (ie: NotBefore, NotOnOrAfter) can fail validation.

Official suggestions is "SAML system entities SHOULD allow for reasonable clock skew between systems when interpreting time instants and enforcing security policies based on them. Tolerances of 3-5 minutes are reasonable defaults, but allowing for configurability is a suggested practice in implementations."

This clock skew should be configurable in the Nuxeo. In the meantime most IdP do usually allow configuring this time skew so it is recommended for users to do so.

Attachments

Issue Links

is related to

NXP-25748 Fix random in SAMLAuthenticatorTest.testNotBeforeTimeSkew

Resolved

Activity

People

Assignee:

Nelson Silva

Reporter:

Nelson Silva

Participants:

Jenkins, Nelson Silva, Stephen Bouzan

Votes:

1 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2018-04-04 08:14

Updated:

2019-01-22 13:54

Resolved:

2018-09-06 09:31

Time Tracking

Estimated:

Not Specified

Remaining:

Not Specified

Logged: