[keycloak-user] Configuring keycloak SAML adapter on tomcat with clockSkew
Peter Skopek
pskopek at redhat.com
Mon Nov 13 07:33:17 EST 2017
Hi Elias,
looks like the configuration option is missing.
Can you create a JIRA issue [1] for this, please.
Thanks,
Peter
[1] https://issues.jboss.org/projects/KEYCLOAK/summary
On Wed, Nov 8, 2017 at 5:09 PM Elias Glareff <glareff at gmail.com> wrote:
> Hello,
>
> I am trying to track down the information whether it is possible to set the
> clockSkew in the keycloak tomcat adapter.
> The problem is that Identity Provider is some time ahead of the Service
> Provider, so whenever the SAML response arrives, the NotBefore time is
> ahead of the SP clock, so the response is considered expired on arrival.
> This is a known problem, described in
>
> https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f
> .
>
>
> In the keycloak source code in AssertionUtil there is a method hasExpired
> to which you can provide a clockSkew variable which would remedy this
> problem. The issue is that I see absolutely no place where I could let the
> keycloak SAML adapter on the service provider know that I want to use a
> clock skew and set it's value.
>
> The only configuration from my side I see is the keycloak-saml.xml in the
> WEB-INF folder of the application, but in the documentation for this
> configuration it does not mention any possibility to set the clock skew.
>
> Kindly share your knowledge on this issue if you can help.
>
> Thanks,
> Elias
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list