Skip to content

Allow logout to succeed if NotOnOrAfter expired. #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2015
Merged

Allow logout to succeed if NotOnOrAfter expired. #272

merged 1 commit into from
Oct 17, 2015

Conversation

sergedomk
Copy link
Contributor

A pull request I previously submitted inadvertently changed the behavior of do_logout() when the user's session_info was past the not_on_or_after timestamp.

The result was that do_logout() would throw a ToOld exception if either the SessionNotOnOrAfter or NotOnOrAfter on the Assertion had past.

I've done a bit of digging into the SAML 2.0. spec to find the following "fun" reading information:

2.5.1.2 Attributes NotBefore and NotOnOrAfter

The NotBefore and NotOnOrAfter attributes specify time limits on the validity of the assertion within the context of its profile(s) of use. They do not guarantee that the statements in the assertion will be correct or accurate throughout the validity period.

The NotBefore attribute specifies the time instant at which the validity interval begins. The NotOnOrAfter attribute specifies the time instant at which the validity interval has ended.

If the value for either NotBefore or NotOnOrAfter is omitted, then it is considered unspecified. If the NotBefore attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), then the assertion is Valid with respect to conditions at any time before the time instant specified by the NotOnOrAfter attribute. If the NotOnOrAfter attribute is unspecified (and if all other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions from the time instant specified by the NotBefore attribute with no expiry. If neither attribute is specified (and if any other conditions that are supplied evaluate to Valid), the assertion is Valid with respect to conditions at any time.

If both attributes are present, the value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.

and...

SessionNotOnOrAfter [Optional]

Specifies a time instant at which the session between the principal identified by the subject and the SAML authority issuing this statement MUST be considered ended. The time value is encoded in UTC, as described in Section 1.3.3. There is no required relationship between this attribute and a NotOnOrAfter condition attribute that may be present in the assertion.

I'm currently dealing with a situation where I'm getting a very short time period on the NotOnOrAfter and no SessionNotOnOrAfter. Looking on the Internet, there appears to be quite a bit of confusion as to exactly how these attributes should be used and/or related. I'm not sure that the usecase I'm dealing with is not valid and as such have opted to submit this pull request to "fix" do_logout() by allowing it behave the way it did previously in regards to expired sessions.

rohe pushed a commit that referenced this pull request Oct 17, 2015
Merge pull request #272 from KaviCorp/logout_expired_session
95eff38 
Allow logout to succeed if NotOnOrAfter expired.
@rohe rohe merged commit 95eff38 into IdentityPython:master Oct 17, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergedomk @rohe