You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the case of an X.509 certificate, there are no requirements as to the content of the certificate apart from the requirement that it contain the appropriate public key. Specifically, the certificate may be expired, not yet valid, carry critical or non-critical extensions or usage flags, and contain any subject or issuer. The use of the certificate structure is merely a matter of notational convenience to communicate a key and has no semantics in this profile apart from that. However, it is RECOMMENDED that certificates be unexpired.
Recently I switched from a different SAML SP package to this package, and after making the switch several consumers encountered failing SAML requests because their certificate was long expired. The previous package I was utilising did not enforce certificate expiry, but this package did. Oops...
If we were writing this package from scratch (or a v2), personally I would consider making signing certificate expiry validation optional and off by default.
However, given backwards compatibility considerations, making this change retrospectively without a v2 version isn't ok.
Currently, it is possible to permit expired IdP signing certificates by defining a custom SignatureVerifier that overrides the Clock behaviour. An example can be found here.
However, I find this approach a little bit "hacky". It would be great if there were first-class support for this, such as a IgnoreCertificateExpiry flag that could be set on the ServiceProvider struct.
What do you think about this change?
The text was updated successfully, but these errors were encountered:
This issue is intended to expand on what has already been discussed in #234.
I believe the current default behaviour of this package to enforce the IdP signing certificate's validity window is overly strict.
This is based on reading the OASIS SAML V2.0 Metadata Interoperability Profile v1.0. Specifically, this exert:
Recently I switched from a different SAML SP package to this package, and after making the switch several consumers encountered failing SAML requests because their certificate was long expired. The previous package I was utilising did not enforce certificate expiry, but this package did. Oops...
If we were writing this package from scratch (or a v2), personally I would consider making signing certificate expiry validation optional and off by default.
However, given backwards compatibility considerations, making this change retrospectively without a v2 version isn't ok.
Currently, it is possible to permit expired IdP signing certificates by defining a custom
SignatureVerifierthat overrides the Clock behaviour. An example can be found here.However, I find this approach a little bit "hacky". It would be great if there were first-class support for this, such as a
IgnoreCertificateExpiryflag that could be set on theServiceProviderstruct.What do you think about this change?
The text was updated successfully, but these errors were encountered: