Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Support "notBefore" constraint in issued SAML assertions

Description

The SAML assertion may contain a “notBefore” constraint.

Add an option to the SAML IdP to enable seding of notBefore constraint. Caption in Console: “Send notBefore constraint“

This setting should be:

  • by default OFF on new endpoints

  • OFF for all migrated old endpoints

When enabled, then the same time as the timestamp set as assertion’s issue time shall be set as a value.

Activity

Show:

Krzysztof April 29, 2024 at 11:16 AM

QA #2: +1

Roman Krysiński April 28, 2024 at 4:33 PM

RK QA: +1

Roman Krysiński April 21, 2024 at 2:36 PM

I’m not if this is connected w/ below, but on our local instance, when you set notBefore it is not possible to login via saml, steps to reproduce:

  1. Start local env w/ clean db so defaults are provisioned

  2. Go to home UI, login via “Unity SAML HTTPRedirect”, and associate with admin entity “a”

  3. Login to home ui via Unity SAML HTTPRedirect, note you are successfully logged

  4. In console, change saml-idp configuration, check notBefore as true

  5. Login to home ui via Unity SAML HTTPRedirect, user is not logged in, sees an error, and the following exception in log:

2024-04-21T16:32:49,383 [qtp1244536402-44] [Home] [] [] [0:0:0:0:0:0:0:1] INFO unity.server.saml.SAMLResponseVerificator: SAML response verification or processing failed pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider. at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.validate(SAMLResponseValidatorUtil.java:99) ~[classes/:?] at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:72) ~[classes/:?] at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.getRemotelyAuthenticatedInput(SAMLResponseVerificator.java:119) ~[classes/:?] at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.verifySAMLResponse(SAMLResponseVerificator.java:89) ~[classes/:?] at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.processResponse(SAMLResponseVerificator.java:76) ~[classes/:?] at pl.edu.icm.unity.saml.sp.SAMLVerificator.processResponse(SAMLVerificator.java:234) ~[classes/:?] at pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.processAnswer(RedirectedAuthnState.java:99) [classes/:?] at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.java:62) [classes/:?] at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponse(RemoteAuthnResponseProcessorImpl.java:52) [classes/:?] at pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:78) [classes/:?] at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) [jetty-servlet-10.0.18.jar:10.0.18] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) [jetty-servlet-10.0.18.jar:10.0.18] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) [jetty-servlet-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) [jetty-servlet-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) [jetty-server-10.0.18.jar:10.0.18] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:68) [classes/:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:301) [jetty-rewrite-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.Server.handle(Server.java:563) [jetty-server-10.0.18.jar:10.0.18] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:195) [classes/:?] at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) [jetty-server-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) [jetty-io-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) [jetty-util-10.0.18.jar:10.0.18] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) [jetty-util-10.0.18.jar:10.0.18] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: Authentication assertion(s) was found, but it was not correct wrt SSO profile: [assertion SAMLY2lib_assert_68f9ef3fb93b5f215d4f942a449b6d13125da0c07ee0132: Bearer subject confirmation must not have notBefore defined] at eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAuthnResponseValidator.java:126) ~[samly2-2.7.1.jar:?] at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.validate(SAMLResponseValidatorUtil.java:89) ~[classes/:?] ... 52 more

Roman Krysiński April 20, 2024 at 10:38 AM

RK QA:
when option is enabled, attribute introspection throws:

2024-04-20T12:34:22,754 [qtp265096845-40] [Attribute Introspection] [] [] [0:0:0:0:0:0:0:1] ERROR unity.server.web.UnityUIBase: UI code got an unchecked and not handled properly exception: java.lang.IllegalStateException: Unknown remote user java.lang.IllegalStateException: Unknown remote user at io.imunity.attr.introspection.AttrIntrospectionUI.showResult(AttrIntrospectionUI.java:146) ~[classes/:?] at io.imunity.attr.introspection.AttrIntrospectionUI.loadInitialState(AttrIntrospectionUI.java:107) ~[classes/:?] at io.imunity.attr.introspection.AttrIntrospectionUI.appInit(AttrIntrospectionUI.java:97) ~[classes/:?] at pl.edu.icm.unity.webui.UnityUIBase.init(UnityUIBase.java:80) ~[classes/:?] at com.vaadin.ui.UI.doInit(UI.java:771) ~[vaadin-server-8.14.3.jar:8.14.3] at com.vaadin.server.communication.UIInitHandler.getBrowserDetailsUI(UIInitHandler.java:218) [vaadin-server-8.14.3.jar:8.14.3] at com.vaadin.server.communication.UIInitHandler.synchronizedHandleRequest(UIInitHandler.java:76) [vaadin-server-8.14.3.jar:8.14.3] at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) [vaadin-server-8.14.3.jar:8.14.3] at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1637) [vaadin-server-8.14.3.jar:8.14.3] at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:464) [vaadin-server-8.14.3.jar:8.14.3]

Krzysztof April 15, 2024 at 4:03 PM

QA:

  1. As the effect of this work Assertion → Conditions → NotBefore is set. This is fine. However, please also set (to the same value) attribute in Asserttion → Subject → SubjectConfirmation → SubjectConfirmationData.

  2. As in the SubjectConfirmationData we are already setting NotOnOrAfter, please set this value as well to assertion conditions (always).

Done

Details

Assignee

Reporter

Area

Commercial

Fix versions

Priority

Created April 2, 2024 at 3:19 PM
Updated April 29, 2024 at 11:16 AM
Resolved April 29, 2024 at 11:16 AM

Flag notifications