Commit 83dd3da4 authored by Clément OUDOT's avatar Clément OUDOT

Possibility to configure subjectConfirmation notOnOrAfter (#LEMONLDAP-737)

git-svn-id: svn://svn.forge.objectweb.org/svnroot/lemonldap/branches/lemonldap-ng_version_1_4-bugfixes@3506 1dbb9719-a921-0410-b57f-c3a383c2c641
parent b616c73d
......@@ -207,6 +207,13 @@ has 'samlSPMetaDataOptionsNameIDFormat' => (
documentation => 'SAML SP option NameID format',
);
has 'samlSPMetaDataOptionsNotOnOrAfterTimeout' => (
is => 'rw',
isa => 'Int',
default => '72000',
documentation => 'SAML SP option notOnOrAfter timeout',
);
has 'samlSPMetaDataOptionsOneTimeUse' => (
is => 'rw',
isa => 'Bool',
......
......@@ -203,7 +203,7 @@ sub cstruct {
samlSPMetaDataOptionsAuthnResponse => {
_nodes => [
qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse samlSPMetaDataOptionsSessionNotOnOrAfterTimeout)
qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse samlSPMetaDataOptionsSessionNotOnOrAfterTimeout samlSPMetaDataOptionsNotOnOrAfterTimeout)
],
samlSPMetaDataOptionsNameIDFormat =>
......@@ -215,6 +215,8 @@ sub cstruct {
"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsOneTimeUse",
samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
"int:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",
samlSPMetaDataOptionsNotOnOrAfterTimeout =>
"int:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsNotOnOrAfterTimeout",
},
samlSPMetaDataOptionsSignature => {
......
......@@ -478,13 +478,14 @@ sub en {
samlSPMetaDataOptionsNameIDSessionKey => 'Force NameID session key',
samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
'sessionNotOnOrAfter duration',
samlServiceMetaData => 'SAML 2 Service',
samlEntityID => 'Entity Identifier',
samlOrganization => 'Organization',
samlOrganizationDisplayName => 'Display Name',
samlOrganizationName => 'Name',
samlOrganizationURL => 'URL',
samlSPSSODescriptor => 'Service Provider',
samlSPMetaDataOptionsNotOnOrAfterTimeout => 'notOnOrAfter duration',
samlServiceMetaData => 'SAML 2 Service',
samlEntityID => 'Entity Identifier',
samlOrganization => 'Organization',
samlOrganizationDisplayName => 'Display Name',
samlOrganizationName => 'Name',
samlOrganizationURL => 'URL',
samlSPSSODescriptor => 'Service Provider',
samlSPSSODescriptorAuthnRequestsSigned =>
'Signed Authentication Request',
samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
......@@ -992,13 +993,14 @@ sub fr {
"Forcer la clé de session NameID",
samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
'Durée sessionNotOnOrAfter',
samlServiceMetaData => 'Service SAML 2',
samlEntityID => 'Identifiant d\'entité',
samlOrganization => 'Organisation',
samlOrganizationDisplayName => 'Nom affiché',
samlOrganizationName => 'Nom',
samlOrganizationURL => 'URL',
samlSPSSODescriptor => 'Fournisseur de service',
samlSPMetaDataOptionsNotOnOrAfterTimeout => 'Durée notOnOrAfter',
samlServiceMetaData => 'Service SAML 2',
samlEntityID => 'Identifiant d\'entité',
samlOrganization => 'Organisation',
samlOrganizationDisplayName => 'Nom affiché',
samlOrganizationName => 'Nom',
samlOrganizationURL => 'URL',
samlSPSSODescriptor => 'Fournisseur de service',
samlSPSSODescriptorAuthnRequestsSigned =>
'Requêtes d\'authentification signées',
samlSPSSODescriptorWantAssertionsSigned =>
......
......@@ -1478,8 +1478,18 @@ sub issuerForAuthUser {
$self->lmLog( "Authentication context is $authn_context", 'debug' );
# Get SP options notOnOrAfterTimeout
my $notOnOrAfterTimeout =
$self->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsNotOnOrAfterTimeout};
# Build Assertion
unless ( $self->buildAssertion( $login, $authn_context ) ) {
unless (
$self->buildAssertion(
$login, $authn_context, $notOnOrAfterTimeout
)
)
{
$self->lmLog( "Unable to build assertion", 'error' );
return PE_SAML_SSO_ERROR;
}
......
......@@ -22,7 +22,7 @@ use URI; # Get metadata URL path
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
our $VERSION = '1.4.0';
our $VERSION = '1.4.1';
our $samlCache;
our $initGlibDone;
......@@ -1056,17 +1056,19 @@ sub buildArtifactMsg {
return $self->checkLassoError($@);
}
## @method boolean buildAssertion(Lasso::Login login, string authn_context)
## @method boolean buildAssertion(Lasso::Login login, string authn_context, int notOnOrAfterTimeout)
# Build assertion
# @param login Lasso::Login object
# @param authn_context SAML2 authentication context
# @param notOnOrAfterTimeout Timeout to apply to notOnOrAfter
# @return boolean result
sub buildAssertion {
my ( $self, $login, $authn_context ) = splice @_;
my ( $self, $login, $authn_context, $notOnOrAfterTimeout ) = splice @_;
$notOnOrAfterTimeout ||= $self->{timeout};
# Dates
my $time = $self->{sessionInfo}->{_utime} || time();
my $timeout = $time + $self->{timeout};
my $timeout = $time + $notOnOrAfterTimeout;
my $authenticationInstant = $self->timestamp2samldate($time);
my $reauthenticateOnOrAfter = $self->timestamp2samldate($timeout);
my $notBefore = $authenticationInstant;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment