diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm index 9da37d87f..8d2265419 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm @@ -60,7 +60,7 @@ sub cstruct { . ":samlIDPMetaDataXML:filearea", samlIDPMetaDataOptions => { _nodes => [ - qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext samlIDPMetaDataOptionsForceUTF8 samlIDPMetaDataOptionsEncryptionMode) + qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsIsPassive samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSOMessage samlIDPMetaDataOptionsCheckSSOMessageSignature samlIDPMetaDataOptionsSignSLOMessage samlIDPMetaDataOptionsCheckSLOMessageSignature samlIDPMetaDataOptionsRequestedAuthnContext samlIDPMetaDataOptionsForceUTF8 samlIDPMetaDataOptionsEncryptionMode samlIDPMetaDataOptionsCheckConditions) ], samlIDPMetaDataOptionsNameIDFormat => "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat" @@ -98,6 +98,8 @@ sub cstruct { "bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsForceUTF8", samlIDPMetaDataOptionsEncryptionMode => "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsEncryptionMode:default:encryptionModeParams", + samlIDPMetaDataOptionsCheckConditions => +"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsCheckConditions", }, } } @@ -1295,6 +1297,7 @@ sub defaultConf { samlIDPMetaDataOptionsRequestedAuthnContext => '', samlIDPMetaDataOptionsForceUTF8 => '0', samlIDPMetaDataOptionsEncryptionMode => 'none', + samlIDPMetaDataOptionsCheckConditions => '1', samlSPMetaDataOptionsNameIDFormat => '', samlSPMetaDataOptionsOneTimeUse => '0', samlSPMetaDataOptionsSignSSOMessage => '1', diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm index 770eafb09..11427186b 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm @@ -247,6 +247,7 @@ sub en { 'Requested authentication context', samlIDPMetaDataOptionsForceUTF8 => 'Force UTF-8', samlIDPMetaDataOptionsEncryptionMode => 'Encryption mode', + samlIDPMetaDataOptionsCheckConditions => 'Check conditions', samlSPMetaDataNode => 'SAML service providers', samlSPMetaDataXML => 'Metadata', samlSPMetaDataExportedAttributes => 'Exported attributes', @@ -515,6 +516,7 @@ sub fr { 'Contexte d\'authentification demandé', samlIDPMetaDataOptionsForceUTF8 => 'Forcer l\'UTF-8', samlIDPMetaDataOptionsEncryptionMode => 'Mode de chiffrement', + samlIDPMetaDataOptionsCheckConditions => 'Vérifier les conditions', samlSPMetaDataNode => 'Fournisseurs de service SAML', samlSPMetaDataXML => 'Metadonnées', samlSPMetaDataExportedAttributes => 'Attributs exportés', diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm index 9a1b3f308..e903a58bf 100644 --- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm +++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm @@ -180,9 +180,16 @@ sub extractFormInfo { return PE_ERROR; } + # Do we check conditions? + my $checkConditions = + $self->{samlIDPMetaDataOptions}->{$idpConfKey} + ->{samlIDPMetaDataOptionsCheckConditions}; + # Check conditions - time and audience - unless ( - $self->validateConditions( $assertion, $self->{samlEntityID} ) ) + if ( $checkConditions + and + !$self->validateConditions( $assertion, $self->{samlEntityID} ) + ) { $self->lmLog( "Conditions not validated", 'error' ); return PE_ERROR; diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm index 4f1ce6f61..c38b64d84 100644 --- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm +++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm @@ -2106,8 +2106,8 @@ sub timestamp2samldate { sub samldate2timestamp { my ( $self, $samldate ) = splice @_; - my ( $year, $mon, $mday, $hour, $min, $sec, $ztime ) = - ( $samldate =~ /(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(Z)?/ ); + my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = + ( $samldate =~ /(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ ); my $timestamp = timegm( $sec, $min, $hour, $mday, $mon - 1, $year - 1900, 0 );