[keycloak-user] Configuring keycloak SAML adapter on tomcat with clockSkew
Elias Glareff
glareff at gmail.com
Wed Nov 8 09:47:06 EST 2017
Hello,
I am trying to track down the information whether it is possible to set the
clockSkew in the keycloak tomcat adapter.
The problem is that Identity Provider is some time ahead of the Service
Provider, so whenever the SAML response arrives, the NotBefore time is
ahead of the SP clock, so the response is considered expired on arrival.
This is a known problem, described in
https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f.
In the keycloak source code in AssertionUtil there is a method hasExpired
to which you can provide a clockSkew variable which would remedy this
problem. The issue is that I see absolutely no place where I could let the
keycloak SAML adapter on the service provider know that I want to use a
clock skew and set it's value.
The only configuration from my side I see is the keycloak-saml.xml in the
WEB-INF folder of the application, but in the documentation for this
configuration it does not mention any possibility to set the clock skew.
Kindly share your knowledge on this issue if you can help.
Thanks,
Elias
More information about the keycloak-user
mailing list