Add support to allow for clock skew

Stummi · Stummi · commit 68abf976d24d · 2025-05-16T12:58:16.000+02:00
diff --git a/saml.go b/saml.go
@@ -92,6 +92,8 @@ type SAMLServiceProvider struct {
 
 	signingContextMu sync.RWMutex
 	signingContext   *dsig.SigningContext
+
+	AllowClockSkew time.Duration
 }
 
 // SetSPKeyStore sets the encryption key to be used.
diff --git a/validate.go b/validate.go
@@ -77,7 +77,9 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert
 		return nil, ErrParsing{Tag: NotBeforeAttr, Value: conditions.NotBefore, Type: "time.RFC3339"}
 	}
 
-	if now.Before(notBefore) {
+	allowedSkew := sp.AllowClockSkew
+
+	if now.Before(notBefore.Add(-allowedSkew)) {
 		warningInfo.InvalidTime = true
 	}
 
@@ -90,7 +92,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert
 		return nil, ErrParsing{Tag: NotOnOrAfterAttr, Value: conditions.NotOnOrAfter, Type: "time.RFC3339"}
 	}
 
-	if now.After(notOnOrAfter) {
+	if now.After(notOnOrAfter.Add(allowedSkew)) {
 		warningInfo.InvalidTime = true
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,8 @@ type SAMLServiceProvider struct {`
`92`	`92`
`93`	`93`	`signingContextMu sync.RWMutex`
`94`	`94`	`signingContext *dsig.SigningContext`
	`95`	`+`
	`96`	`+ AllowClockSkew time.Duration`
`95`	`97`	`}`
`96`	`98`
`97`	`99`	`// SetSPKeyStore sets the encryption key to be used.`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,9 @@ func (sp SAMLServiceProvider) VerifyAssertionConditions(assertion types.Assert`
`77`	`77`	`return nil, ErrParsing{Tag: NotBeforeAttr, Value: conditions.NotBefore, Type: "time.RFC3339"}`
`78`	`78`	`}`
`79`	`79`
`80`		`- if now.Before(notBefore) {`
	`80`	`+ allowedSkew := sp.AllowClockSkew`
	`81`	`+`
	`82`	`+ if now.Before(notBefore.Add(-allowedSkew)) {`
`81`	`83`	`warningInfo.InvalidTime = true`
`82`	`84`	`}`
`83`	`85`
`@@ -90,7 +92,7 @@ func (sp SAMLServiceProvider) VerifyAssertionConditions(assertion types.Assert`
`90`	`92`	`return nil, ErrParsing{Tag: NotOnOrAfterAttr, Value: conditions.NotOnOrAfter, Type: "time.RFC3339"}`
`91`	`93`	`}`
`92`	`94`
`93`		`- if now.After(notOnOrAfter) {`
	`95`	`+ if now.After(notOnOrAfter.Add(allowedSkew)) {`
`94`	`96`	`warningInfo.InvalidTime = true`
`95`	`97`	`}`
`96`	`98`