Hi Dinali, On Thu, Jul 18, 2019 at 2:12 PM Dinali Dabarera <[email protected]> wrote:
> Hi all, > > As an improvement for the SAML request validations, we have introduced > "issueInstant" property validation as per the solution for the pubic issue > [1] > > In order to enable this improvement, we have introduced new two properties > in the identity.xml file under <SSOService> tag. > > > *<SAML2AuthenticationRequestValidityPeriodEnabled>true</SAML2AuthenticationRequestValidityPeriodEnabled> > * <!-- Request validity period in minutes--> > * > <SAML2AuthenticationRequestValidityPeriod>5</SAML2AuthenticationRequestValidityPeriod>* > > In the public implementation, we thought of keeping the > *<SAML2AuthenticationRequestValidityPeriodEnabled> > *as "true", because it a good to validate the request issue time although > it is not mandatory in the spec [2]. > We have to capture this behavior change in the migration docs. So anyone who migrates, aware of this change and go for the recommended option, unless specifically needed. Thanks, > In our implementation, the default validity period will be 5 minutes and > it is a considerable valid period to do the validation. Hence, all the > requests which received to the WSO2 IS after 5 minutes of IssueInstant time > will be considered as invalid requests and it will fail the flow. As we > take the Joda time(Z time) there will be no issue of time zones as well. > Therefore, we believe that this fix will not break any existing valid SAML > flows of WSO2 Identity Server. > > If nobody needs this validation, they can simply disable this or increase > the validation time period. > > Please let us know if there is any concerns regarding enabling this > request Issue Instant validation. > > [1] https://github.com/wso2/product-is/issues/5891 > [2] > https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf > > Thank you! > Dinali > > > > > -- > *Dinali Rosemin Dabarera* > Senior Software Engineer > IAM Domain > WSO2 Lanka (pvt) Ltd. > Web: http://wso2.com/ > Email : [email protected] > LinkedIn <https://lk.linkedin.com/in/dinalidabarera> > Mobile: +94770198933 > > > > > <https://lk.linkedin.com/in/dinalidabarera> > > > > > > > > > > > > > > -- Regards, *Darshana Gunawardana*Technical Lead WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
