On 31/08/2017 12:29, Colm O hEigeartaigh wrote:
On Thu, Aug 31, 2017 at 11:22 AM, Francesco Chicchiriccò <ilgro...@apache.org>
wrote:
About checking the Relay State expiration, the duration is currently set
to 5 seconds but I am afraid it is not curerntly verified during the
response validation.
5 seconds seems a bit unreasonable, the user may have to type in a username
+ password at the IdP! We could just do something similar to the code in
JWTAuthenticationProvider in terms of verifying the expiry.
Done:
https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=55e09aa
https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=b3db3b1
[1]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L327-L329
[2]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408
[3]
https://github.com/apache/syncope/blob/master/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java#L150
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
