diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java index f8caeff157..59f2585596 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java @@ -861,7 +861,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv validator) { @Nonnull @Override - protected ValidationResult validateBasicData(@Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException { + protected ValidationResult validateBasicData(@Nonnull Assertion assertion, + @Nonnull ValidationContext context) throws AssertionValidationException { return ValidationResult.VALID; } diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java index 7e69febfc8..abe4a4549a 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java @@ -847,6 +847,20 @@ public class OpenSaml4AuthenticationProviderTests { provider.authenticate(token); } + // gh-15022 + @Test + public void authenticateWhenClockSkewThenVerifiesSignature() { + OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider(); + provider.setAssertionValidator(OpenSaml4AuthenticationProvider.createDefaultAssertionValidatorWithParameters( + (params) -> params.put(SAML2AssertionValidationParameters.CLOCK_SKEW, Duration.ofMinutes(10)))); + Response response = response(); + Assertion assertion = assertion(); + assertion.setIssueInstant(Instant.now().plus(Duration.ofMinutes(9))); + response.getAssertions().add(assertion); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); + provider.authenticate(token); + } + private T build(QName qName) { return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName); }