Configuration of assertion valid to datetime

Question

I'm implementing NemLog-in3 / OIOSAML 3 authentication in my .NET Core web application. With great success so far. I only have this one question about the security token validation, when getting the assertion from the IdP, after authentication.

When i get the assertion from the IdP, it has a SecurityToken in the response, with a validFrom and a validTo Datetime. The difference is +1 hour, but in the OIOSAML3 test documentation, it says to "invalidate" the assertion and that your SP should reject the user from logging in after 5 minutes.

Do you know if it's possible to configure the securityToken valid period (set it to 5 minutes), perhaps when initiating the SAML authentication? I know i could just check the validTo and add 5 minutes to it, but i'd rather have it working dynamically, with the validTo property, if possible.

Answer 1

The Conditions elements NotBefore and NotOnOrAfter is valid for an hour, which is correct. The 5 minutes login restriction should have been in the SubjectConfirmation element NotOnOrAfter. It looks like an error in NemLog-in3?

NemLog-in3 SAML 2.0 authn response:

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="https://saml.itfoxtecidentitysaml2-public-dev.sample">
        https://data.gov.dk/model/core/eid/professional/uuid/8e190635-4a9c-4748-91ed-24895f809647
    </NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="_29a72131-ab30-4429-b083-b18db2d6160e" NotOnOrAfter="2021-09-08T13:22:32.062Z" Recipient="https://localhost:44310/Auth/AssertionConsumerService"/>
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2021-09-08T12:22:31.843Z" NotOnOrAfter="2021-09-08T13:22:31.843Z">
    <AudienceRestriction>
        <Audience>
            https://saml.itfoxtecidentitysaml2-public-dev.sample
        </Audience>
    </AudienceRestriction>
</Conditions>