Skip to content

Commit 6646dcb

Browse files
mfprimomfprimo
committed
Compensate clock skew
Allows for a 3-minutes clock skew between systems in notBefore and notAfter attributes. Errata E92 SAML Version 2.0 Errata 05. 01 May 2012. OASIS Approved Errata. http://docs.oasisopen.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html
1 parent 4dfa98f commit 6646dcb

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

src/OneLogin/Saml/XmlSec.php

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,12 @@
55
*/
66
class OneLogin_Saml_XmlSec
77
{
8+
/**
9+
* Acceptable skew between SP and IdP clocks.
10+
* See SAML Version 2.0 Errata 05, Errata E92
11+
*/
12+
const CLOCK_SKEW_SECONDS = 180; // 3 minutes
13+
814
/**
915
* A SamlResponse class provided to the constructor.
1016
* @var OneLogin_Saml_Settings
@@ -54,10 +60,10 @@ public function validateTimestamps()
5460
for ($i = 0; $i < $timestampNodes->length; $i++) {
5561
$nbAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotBefore");
5662
$naAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotOnOrAfter");
57-
if ($nbAttribute && strtotime($nbAttribute->textContent) > time()) {
63+
if ($nbAttribute && strtotime($nbAttribute->textContent) > time() + self::CLOCK_SKEW_SECONDS) {
5864
return false;
5965
}
60-
if ($naAttribute && strtotime($naAttribute->textContent) <= time()) {
66+
if ($naAttribute && strtotime($naAttribute->textContent) <= time() - self::CLOCK_SKEW_SECONDS) {
6167
return false;
6268
}
6369
}
@@ -106,4 +112,4 @@ public function isValid()
106112

107113
return ($objXMLSecDSig->verify($objKey) === 1);
108114
}
109-
}
115+
}

0 commit comments

Comments
 (0)