Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24766

Introduce clock skew in SAML authenticator

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.3
    • Component/s: SAML
    • Upgrade notes:
      Hide

      This introduces a new nuxeo.saml2.skewTimeMs configuration property to control the clock skew in milliseconds. Default value is 60 * 1000 (1 minute).

      Show
      This introduces a new nuxeo.saml2.skewTimeMs configuration property to control the clock skew in milliseconds. Default value is 60 * 1000 (1 minute).
    • Sprint:
      nxNS Sprint 10.3.1
    • Story Points:
      3

      Description

      Since SAML IdP and SP clocks can sometimes be out of sync time based conditions (ie: NotBefore, NotOnOrAfter) can fail validation.

      Official suggestions is "SAML system entities SHOULD allow for reasonable clock skew between systems when interpreting time instants and enforcing security policies based on them. Tolerances of 3-5 minutes are reasonable defaults, but allowing for configurability is a suggested practice in implementations."

      This clock skew should be configurable in the Nuxeo. In the meantime most IdP do usually allow configuring this time skew so it is recommended for users to do so.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 2 hours
                  2h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.