Do not set the NotBefore in the SubjectConfirmation, the spec indicates this element should not contain this attribute.

robotdan · robotdan · commit 7958489320ab · 2021-05-13T09:39:25.000-06:00
#4 (comment) FusionAuth/fusionauth-issues#1215
diff --git a/build.savant b/build.savant
@@ -15,7 +15,7 @@
  */
 savantVersion = "1.0.0"
 
-project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.6", licenses: ["ApacheV2_0"]) {
+project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.7", licenses: ["ApacheV2_0"]) {
   workflow {
     standard()
   }
diff --git a/src/main/java/io/fusionauth/samlv2/domain/SubjectConfirmation.java b/src/main/java/io/fusionauth/samlv2/domain/SubjectConfirmation.java
@@ -27,8 +27,6 @@ public class SubjectConfirmation {
 
   public ConfirmationMethod method;
 
-  public ZonedDateTime notBefore;
-
   public ZonedDateTime notOnOrAfter;
 
   public String recipient;
diff --git a/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java b/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java
@@ -209,7 +209,8 @@ public String buildAuthnResponse(AuthenticationResponse response, boolean sign,
         if (response.assertion.subject.subjectConfirmation != null) {
           SubjectConfirmationDataType dataType = new SubjectConfirmationDataType();
           dataType.setInResponseTo(response.assertion.subject.subjectConfirmation.inResponseTo);
-          dataType.setNotBefore(toXMLGregorianCalendar(response.assertion.subject.subjectConfirmation.notBefore));
+          // SAML Profiles 4.1.4.2 <Response> Usage
+          // - Subject Confirmation MUST NOT contain NotBefore.
           dataType.setNotOnOrAfter(toXMLGregorianCalendar(response.assertion.subject.subjectConfirmation.notOnOrAfter));
           dataType.setRecipient(response.assertion.subject.subjectConfirmation.recipient);
           SubjectConfirmationType subjectConfirmationType = new SubjectConfirmationType();
@@ -829,7 +830,6 @@ private SubjectConfirmation parseConfirmation(SubjectConfirmationType subjectCon
     if (data != null) {
       subjectConfirmation.address = data.getAddress();
       subjectConfirmation.inResponseTo = data.getInResponseTo();
-      subjectConfirmation.notBefore = toZonedDateTime(data.getNotBefore());
       subjectConfirmation.notOnOrAfter = toZonedDateTime(data.getNotOnOrAfter());
       subjectConfirmation.recipient = data.getRecipient();
     }

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`*/`
`16`	`16`	`savantVersion = "1.0.0"`
`17`	`17`
`18`		`-project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.6", licenses: ["ApacheV2_0"]) {`
	`18`	`+project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.7", licenses: ["ApacheV2_0"]) {`
`19`	`19`	`workflow {`
`20`	`20`	`standard()`
`21`	`21`	`}`