Merge branch '6.3.x'

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java

@@ -861,7 +861,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 					validator) {
 				@Nonnull
 				@Override
-				protected ValidationResult validateBasicData(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException {
+				protected ValidationResult validateBasicData(@Nonnull Assertion assertion,
+						@Nonnull ValidationContext context) throws AssertionValidationException {
 					return ValidationResult.VALID;
 				}
 

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java

@@ -847,6 +847,20 @@ public class OpenSaml4AuthenticationProviderTests {
 		provider.authenticate(token);
 	}
 
+	// gh-15022
+	@Test
+	public void authenticateWhenClockSkewThenVerifiesSignature() {
+		OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
+		provider.setAssertionValidator(OpenSaml4AuthenticationProvider.createDefaultAssertionValidatorWithParameters(
+				(params) -> params.put(SAML2AssertionValidationParameters.CLOCK_SKEW, Duration.ofMinutes(10))));
+		Response response = response();
+		Assertion assertion = assertion();
+		assertion.setIssueInstant(Instant.now().plus(Duration.ofMinutes(9)));
+		response.getAssertions().add(assertion);
+		Saml2AuthenticationToken token = token(signed(response), verifying(registration()));
+		provider.authenticate(token);
+	}
+
 	private <T extends XMLObject> T build(QName qName) {
 		return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
 	}