NotOnOrAfter in SubjectConfirmationData and Conditions and SessionNotOnOrAfter

saml saml-2.0
17,119

Solution 1

I cross-posted this question to the SAML-dev mailing list and got an answer from Scott Cantor, who has been an editor on the specifications.

  • The times in the <SubjectConfirmationData> signals for how long time assertion can be tied to the subject. In Web SSO where the subject confirmation method "bearer" is usually used, it means that within this time we can trust that the assertion applies to the one providing the assertion. The assertion might be valid for a longer time, but we must create a session within this time frame. This is described in the Web SSO Profile section 4.1.4.3. The times in <SubjectConfirmationData> must fall within the interval of those in <Conditions>.

  • The times in <Conditions> is the validity of the entire assertion. It should not be consumed after this time. There is nothing preventing a user session on an SP to extend beyond this point in time though.

  • SessionNotOnOrAfter is something completely different that is not directly related to the lifetime of the assertion or the subject. It is a parameter the idp can use to control how long an SP session may be. Please note that this parameter is defined that it SHOULD be handled by an SP according to the SAML2Core spec, but far from all SP implementations do. An example of an implementation that does is as usual Shibboleth, that always will respect the occurence of this parameter. When using Single Logout, this parameter is more critical, as it synchronizes the timeout of the session on both the SP and the Idp, to ensure that an SP does not issue a logout request for a session no longer known to the Idp.

Solution 2

In my opinion, only the authors of Saml2 specification can clearly answer this question. I also guess they can write a 10000-page book to explain about many "why" questions about the spec that people have asked for years. Anyway, based on my limited knowledge and on the use cases I have experienced with, my interpretation of those properties is:

Let's look at an example:

  1. SSO: An SP receives an assertion from an IdP and log the user on.
  2. Bootstrap token: The SP saves the assertion as a bootstrap token for later use.
  3. The SP uses the bootstrap token to exchange for an ActAs token so that it can be used to access another web service. It will also cache the token for further uses to avoid having to exchange a new token often, as long as that token is still valid.

For (1), an assertion is valid when and only when both SubjectConfirmationData.NotOnOrAfter and Conditions.NotOnOrAfter are valid. Since the assertion is valid, the SP will create a login session for the user. How long the session should be is specified by the SessionNotOnOrAfter value.

How about 3? I would say the token is considered valid when Conditions.NotOnOrAfter is still valid. According to Scott Cantor: "Processing rules are specific to profiles and the context of use." Source: https://lists.internet2.edu/sympa/arc/mace-opensaml-users/2011-05/msg00007.html In that link they also discussed about the lifetimes of Subject and Conditions in which Conditions usually has longer lifetime than that of the Subject.

Share:
17,119

Related videos on Youtube

Anders Abel
Author by

Anders Abel

I'm an independent consultant at in Stockholm, Sweden. My core competence is as a technical specialist within development and system architecture. In my heart I am, and probably will remain, a programmer. I still think programming is tremendously fun, more than 20 years after I first tried it. That's why my blog is named Passion for Coding. As a consultant I am specialised in Identity and Access Management and particularly in SAML2 on ASP.NET. Email: anders [at] abel [dot] nu.

Updated on June 28, 2022

Comments

  • Anders Abel
    Anders Abel about 2 years

    In the SAML2 specification there are several places in an assertion where it is possible to specify a lifetime.

    • The <SubjectConfirmationData> element contains a NotOnOrAfter attribute.
    • The <Conditions> element contains a NotOnOrAfter attribute.
    • The <AuthnStatement> element contains a SessionNotOnOrAfter attribute.

    What is the meaning of each of them? How do they relate to each other?

    Specifically, which of them must be checked when...

    • ... consuming an incoming Saml2Response using Web SSO
    • ... establishing an application session in the SP
    • ... refreshing (extending) an application session in the SP
    • ... forwarding an assertion to a web service, to act on behalf of the subject (as described by @Thuan)
    • ... issuing a single logout request to the idp, to ensure that the idp still knows of the session?

    Each of the NotOnOrAfters are described in the SAML2 core specification. I've included the parts that I can find that describes these attributes here.

    SubjectConfirmationData/@NotOnOrAfter

    A time instant at which the subject can no longer be confirmed. The time value is encoded in UTC, as described in Section 1.3.3.

    Note that the time period specified by the optional NotBefore and NotOnOrAfter attributes, if present, SHOULD fall within the overall assertion validity period as specified by the element's NotBefore and NotOnOrAfter attributes. If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.

    Conditions/@NotOnOrAfter

    Specifies the time instant at which the assertion has expired. The time value is encoded in UTC, as described in Section 1.3.3.

    The NotBefore and NotOnOrAfter attributes specify time limits on the validity of the assertion within the context of its profile(s) of use. They do not guarantee that the statements in the assertion will be correct or accurate throughout the validity period. The NotBefore attribute specifies the time instant at which the validity interval begins. The NotOnOrAfter attribute specifies the time instant at which the validity interval has ended. If the value for either NotBefore or NotOnOrAfter is omitted, then it is considered unspecified. If the NotBefore attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), then the assertion is Valid with respect to conditions at any time before the time instant specified by the NotOnOrAfter attribute. If the NotOnOrAfter attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions from the time instant specified by the NotBefore attribute with no expiry. If neither attribute is specified (and if any other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions at any time.

    If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.

    AuthnStatement/@SessionNotOnOrAfter

    Indicates an upper bound on sessions with the subject derived from the enclosing assertion. The time value is encoded in UTC, as described in Section 1.3.3. There is no required relationship between this attribute and a NotOnOrAfter condition attribute that may be present in the assertion. It's left to profiles to provide specific processing rules for relying parties based on this attribute.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Keycloak "Unexpected error when handling authentication request to identity provider"
SAML LogOutRequest processing failed on ADFS server
SimpleSamlPhp as SP redirects incorrectly
What is the point of OpenSAML? Any alternative?
What is the correct format for SAML 2.0 Assertions?
InvalidNameIDPolicy working with ADFS
AADSTS700016: Application with identifier 'some_id' was not found in the directory 'some_another_id'
Logging into SAML/Shibboleth authenticated server using python
What to present at SAML EntityID URL?
Working with SAML 2.0 in C# .NET 4.5