Commit 483cdf3

mo <mo@mokhan.ca>
2018-08-11 23:26:32
remove optional SubjectConfirmationData#NotOnOrAfter attribute.
Pingfed is returning the following error: ```text <![CDATA[org.sourceid.websso.profiles.InvalidSsoResponseException: (reference# HIOEZDSF) Response contains no valid assertions: [ Assertion (_707de540-d06b-41e9-a8b3-75b106b43ed4) Status: INVALID Remarks: (Profiles 4.1.4.2) assertion could not be confirmed - here's why: [#1 subject confirmation is unsatisfactory: [Time condition: for security reasons NotOnOrAfter (2018-08-10T18:37:21Z) cannot be more than 74 minutes ahead of the current time (2018-08-10T15:37:21.386Z)]]]. InMessageContext XML: <Response ID="_006926cd-99bf-4412-ada0-b35f938bc137" Version="2.0" IssueInstant="2018-08-10T15:37:21Z" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="" InResponseTo="" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"></Issuer> ``` Because session_timeout is configurable it's possible to choose a timeout that exceeds this limitation. I have chosen to remove the optional attribute to prevent this error from occurring.
main
1 parent c169a56
Changed files (3)
lib
saml
kit
builders
assertion.rb
version.rb
spec
saml
kit
builders
response_spec.rb
lib/saml/kit/builders/assertion.rb
@@ -52,7 +52,6 @@ module Saml
         def subject_confirmation_data_options
           options = {}
           options[:InResponseTo] = request.id if request.present?
-          options[:NotOnOrAfter] = (not_on_or_after - 1.second).iso8601
           options[:Recipient] = destination if destination.present?
           options
         end
lib/saml/kit/version.rb
@@ -2,6 +2,6 @@
 
 module Saml
   module Kit
-    VERSION = '1.0.20'.freeze
+    VERSION = '1.0.21'.freeze
   end
 end
spec/saml/kit/builders/response_spec.rb
@@ -76,7 +76,7 @@ RSpec.describe Saml::Kit::Builders::Response do
 
       expect(hash['Response']['Assertion']['Subject']['NameID']).to eql(user.name_id)
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['Method']).to eql('urn:oasis:names:tc:SAML:2.0:cm:bearer')
-      expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['NotOnOrAfter']).to eql((3.hours.from_now.utc - 1.second).iso8601)
+      expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['NotOnOrAfter']).to be_nil
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['Recipient']).to eql(assertion_consumer_service_url)
       expect(hash['Response']['Assertion']['Subject']['SubjectConfirmation']['SubjectConfirmationData']['InResponseTo']).to eql(request.id)