My name is Sabina, software developer at GRB. We have been using Component Space SAML for implementing oursingle sign on. We are using SP initiated Single sign on. Everything isworking fine when we don’t add “Conditions” in our Saml Assertions. When Iadded SAML assertion condition, I am having trouble validating them.
ComponentSpace.SAML2.Assertions.Conditions conditions = newComponentSpace.SAML2.Assertions.Conditions();
conditions.NotBefore= DateTimeNow.ToUniversalTime();
conditions.NotOnOrAfter = DateTimeNow.ToUniversalTime()AddMinutes(5);
conditions.ConditionsList.Add(new ComponentSpace.SAML2.Assertions.OneTimeUse());
samlAssertion.Conditions =conditions;
When SP receive the samlResponse and try to Validate (ComponentSpace.SAML2.Assertions.Conditions.IsValid(samlResponseXml)) it always result false.
If I useComponentSpace.SAML2.Protocols.AuthnRequest.IsValid(authenticationRequestXml) thenit always return true even if NotOnOrAfteris before NotBefore.
I have attached theSamlResposneXml for your reference. Please suggest me what I am doing wrong.
We generally recommend not setting the NotBefore value to UTC now as this doesn’t allow for any discrepancies between the server clocks.
Please try the following code.
using ComponentSpace.SAML2.Assertions;
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 5, 0));
samlAssertion.Conditions.ConditionsList.Add(new OneTimeUse());
The NotBefore time is calculated as the current UTC time less the time span. The NotOnOrAfter time is calculated as the current UTC time plus the time span.
Also, please note that Conditions.IsValid and AuthnRequest.IsValid are checking the XML format rather than the conditions.
To check the validity period, you would call Conditions.IsWithinTimePeriod().
Thanks for the response, that seems to work better. But I found that using TimeSpan set twice the time for NotOnOrAfter.
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 5, 0));
samlAssertion.Conditions.ConditionsList.Add(new OneTimeUse());
The above statements set Saml Condition as follows:
<saml:Conditions NotBefore=“2016-06-30T19:06:32.524Z” NotOnOrAfter=“2016-06-30T19:16:32.524Z”><saml:OneTimeUse /></saml:Conditions>
Instead of setting NotOnOrAfter after 5 min it sets it after 10min.
Thanks,
Sabina
NotBefore = UTC Now - TimeSpan
NotOnOrAfter = UTC Now + TimeSpan
UTC now was 19:11:32.524.
NotBefore = 19:11:32.524 - 00:05:00 = 19:06:32.524
NotOnOrAfter = 19:11:32.524 + 00:05:00 = 19:16:32.524
The result is a 10 minute validity period ie 5 minutes either side of the current time.
In reality, if the clocks are synchronized, the interval is only 5 minutes as the NotBefore to Now period won’t apply.
However, it does allow the clocks to be slightly skewed.
If you’re concerned then you can set the NotBefore and NotOnOrAfter times individually.
However, we don’t recommend setting NotBefore to DateTime.UtcNow as this requires the clocks to be precisely synchronized.