Hi all,
As an improvement for the SAML request validations, we have introduced
"issueInstant" property validation as per the solution for the pubic issue
[1]
In order to enable this improvement, we have introduced new two properties
in the identity.xml file under <SSOService> tag.
*<SAML2AuthenticationRequestValidityPeriodEnabled>true</SAML2AuthenticationRequestValidityPeriodEnabled>
* <!-- Request validity period in minutes-->
*
<SAML2AuthenticationRequestValidityPeriod>5</SAML2AuthenticationRequestValidityPeriod>*
In the public implementation, we thought of keeping the
*<SAML2AuthenticationRequestValidityPeriodEnabled>
*as "true", because it a good to validate the request issue time although
it is not mandatory in the spec [2].
In our implementation, the default validity period will be 5 minutes and it
is a considerable valid period to do the validation. Hence, all the
requests which received to the WSO2 IS after 5 minutes of IssueInstant time
will be considered as invalid requests and it will fail the flow. As we
take the Joda time(Z time) there will be no issue of time zones as well.
Therefore, we believe that this fix will not break any existing valid SAML
flows of WSO2 Identity Server.
If nobody needs this validation, they can simply disable this or increase
the validation time period.
Please let us know if there is any concerns regarding enabling this request
Issue Instant validation.
[1] https://github.com/wso2/product-is/issues/5891
[2]
https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
Thank you!
Dinali
--
*Dinali Rosemin Dabarera*
Senior Software Engineer
IAM Domain
WSO2 Lanka (pvt) Ltd.
Web: http://wso2.com/
Email : [email protected]
LinkedIn <https://lk.linkedin.com/in/dinalidabarera>
Mobile: +94770198933
<https://lk.linkedin.com/in/dinalidabarera>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
