Novell Home

My Favorites

Close

Please to see your favorites.

Access Manager SAML Service Provider accepting SAML assertions that have recently expired

This document (7007213) is provided subject to the disclaimer at the end of this document.

Environment

Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server

Situation

Novell Access Manager setup as a SAML Service Provider (SP) to consume assertions from a 
3rd party SAML Identity (IDP) Server using the SAML1 protocol. After the user authenticates to
the SAML1 IDP server, this server generates a SAML1 assertion for the user to send to the SAML
SP so that user single signs on to to the SAML SP. Such a SAML assertion includes a <Conditions>
tag defining a time window the assertion is valid for (NotBefore and
NotOnOrAfter) e.g.

<saml:Conditions NotBefore="2010-11-16T15:13:25Z" NotOnOrAfter="2010-11-16T15:23:25Z">

With Access Manager 3.1.2 IR2, when consuming the assertion from the IDP, the SP accepts it even
though we are a minute outside the scope ie. if it is no longer valid. When sending an expired
SAML message, the SP validation should fail yet it succeeds as long as we are within 5 minutes of
the time defined in the NotOnOrAfter tag. The risk is that user can have access to protected
resources using an expired SAML message.

Resolution

Apply Access Manager 3.1.2 IR3 or greater (3.1.2-345). By default Access Manager SAML1 and SAML2 Service Provider allowed a 5 minute window on the NotOnOrAfter tag.

The 3.1.2 IR3 patch has a web.xml (/opt/novell/nids/lib/webapp/WEB-INF/ directory) parameter that allows you define how long the SAML SP waits after the NotOnOrAfter timestamps expire before deciding whether the assertion is invalid. If we set the SAMLAssertionWindow to be 0, then we expire immediately after the NotOnOrAfter timestamp. If no web.xml entry exists, the default period the assertion is still considered valid by Access Manager will be 5 minutes after the NotOnOrAfter time.

The solution is available for both SAML1 and SAML2 protocols:

a)  For SAML1
<context-param>
<param-name>SAMLAssertionWindow</param-name>
<param-value>0</param-value>
</context-param>

b) For SAML2

<context-param>
<param-name>SAML2AssertionWindow</param-name>
<param-value>0</param-value>
</context-param>

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7007213
  • Creation Date:16-NOV-10
  • Modified Date:26-APR-12
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback