X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=adfs%2Fadfs.cpp;h=c49ec990bcb22ceaf08d67ee8db3135e1f13938f;hb=ae002d44cc5150b91d16a55761f6c4d505b1cd34;hp=5d89ecb9aef8ddad2eed459b27a556267a5b7884;hpb=96bd105d89afcce497ad751aec0e4e018ccbda59;p=shibboleth%2Fcpp-sp.git diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp index 5d89ecb..c49ec99 100644 --- a/adfs/adfs.cpp +++ b/adfs/adfs.cpp @@ -658,9 +658,18 @@ void ADFSConsumer::implementProtocol( pair authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair(false,0); const saml1::AuthenticationStatement* ssoStatement=saml1token->getAuthenticationStatements().front(); - if (authnskew.first && authnskew.second && - ssoStatement->getAuthenticationInstant() && (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second)) - throw FatalProfileException("The gap between now and the time you logged into your identity provider exceeds the limit."); + if (ssoStatement->getAuthenticationInstant()) { + if (ssoStatement->getAuthenticationInstantEpoch() - XMLToolingConfig::getConfig().clock_skew_secs > now) { + throw FatalProfileException("The login time at your identity provider was future-dated."); + } + else if (authnskew.first && authnskew.second && ssoStatement->getAuthenticationInstantEpoch() <= now && + (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second)) { + throw FatalProfileException("The gap between now and the time you logged into your identity provider exceeds the allowed limit."); + } + } + else if (authnskew.first && authnskew.second) { + throw FatalProfileException("Your identity provider did not supply a time of login, violating local policy."); + } // Address checking. saml1::SubjectLocality* locality = ssoStatement->getSubjectLocality();