Environment
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Situation
Novell Access Manager setup as a SAML Service Provider (SP) to consume assertions from a
3rd party SAML Identity (IDP) Server using the SAML1 protocol. After the user authenticates to
the SAML1 IDP server, this server generates a SAML1 assertion for the user to send to the SAML
SP so that user single signs on to to the SAML SP. Such a SAML assertion includes a <Conditions>
tag defining a time window the assertion is valid for (NotBefore and
NotOnOrAfter) e.g.
<saml:Conditions NotBefore="2010-11-16T15:13:25Z" NotOnOrAfter="2010-11-16T15:23:25Z">
With Access Manager 3.1.2 IR2, when consuming the assertion from the IDP, the SP accepts it even
though we are a minute outside the scope ie. if it is no longer valid. When sending an expired
SAML message, the SP validation should fail yet it succeeds as long as we are within 5 minutes of
the time defined in the NotOnOrAfter tag. The risk is that user can have access to protected
resources using an expired SAML message.
Resolution
Apply Access Manager 3.1.2 IR3 or greater (3.1.2-345). By default Access Manager SAML1 and SAML2 Service Provider allowed a 5 minute window on the NotOnOrAfter tag.
The 3.1.2 IR3 patch has a web.xml (/opt/novell/nids/lib/webapp/WEB-INF/ directory) parameter that allows you define how long the SAML SP waits after the NotOnOrAfter timestamps expire before deciding whether the assertion is invalid. If we set the SAMLAssertionWindow to be 0, then we expire immediately after the NotOnOrAfter timestamp. If no web.xml entry exists, the default period the assertion is still considered valid by Access Manager will be 5 minutes after the NotOnOrAfter time.
The solution is available for both SAML1 and SAML2 protocols:
a) For SAML1
The 3.1.2 IR3 patch has a web.xml (/opt/novell/nids/lib/webapp/WEB-INF/ directory) parameter that allows you define how long the SAML SP waits after the NotOnOrAfter timestamps expire before deciding whether the assertion is invalid. If we set the SAMLAssertionWindow to be 0, then we expire immediately after the NotOnOrAfter timestamp. If no web.xml entry exists, the default period the assertion is still considered valid by Access Manager will be 5 minutes after the NotOnOrAfter time.
The solution is available for both SAML1 and SAML2 protocols:
a) For SAML1
<context-param>
<param-name>SAMLAssertionWindow</param-name>
<param-value>0</param-value>
</context-param>
b) For SAML2
<context-param>
<param-name>SAML2AssertionWindow</param-name>
<param-value>0</param-value>
</context-param>