- const vector<AuthenticationStatement*>& statements = const_cast<const saml1::Assertion*>(*a)->getAuthenticationStatements();
- for (vector<AuthenticationStatement*>::const_iterator s = statements.begin(); s!=statements.end(); ++s) {
- if (authnskew.first && authnskew.second &&
- (*s)->getAuthenticationInstant() && (now - (*s)->getAuthenticationInstantEpoch() > authnskew.second))
- contextualError = "The gap between now and the time you logged into your identity provider exceeds the limit.";
+ const vector<AuthenticationStatement*>& statements =
+ const_cast<const saml1::Assertion&>(*a).getAuthenticationStatements();
+ for (indirect_iterator<vector<AuthenticationStatement*>::const_iterator> s = make_indirect_iterator(statements.begin());
+ s != make_indirect_iterator(statements.end()); ++s) {
+ if (s->getAuthenticationInstant() &&
+ s->getAuthenticationInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs > now) {
+ contextualError = "The login time at your identity provider was future-dated.";
+ }
+ else if (authnskew.first && authnskew.second && s->getAuthenticationInstant() &&
+ s->getAuthenticationInstantEpoch() <= now && (now - s->getAuthenticationInstantEpoch() > authnskew.second)) {
+ contextualError = "The gap between now and the time you logged into your identity provider exceeds the allowed limit.";
+ }
+ else if (authnskew.first && authnskew.second && s->getAuthenticationInstant() == nullptr) {
+ contextualError = "Your identity provider did not supply a time of login, violating local policy.";
+ }