Possibility to configure sessionNotOnOrAfter (#737)

11 years ago · 757ac6f15d
parent 4d08c6aef4
commit 757ac6f15d
4 changed files with 28 additions and 11 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SubAttributes.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SubAttributes.pm
@ -214,6 +214,13 @@ has 'samlSPMetaDataOptionsOneTimeUse' => (
    documentation => 'SAML SP option one time use',
 );

+has 'samlSPMetaDataOptionsSessionNotOnOrAfterTimeout' => (
+    is            => 'rw',
+    isa           => 'Int',
+    default       => '72000',
+    documentation => 'SAML SP option sessionNotOnOrAfter timeout',
+);
+
 has 'samlSPMetaDataOptionsSignSLOMessage' => (
    is            => 'rw',
    isa           => 'Bool',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -11,7 +11,7 @@ use Lemonldap::NG::Common::Conf::Attributes;
 use Lemonldap::NG::Common::Conf::SubAttributes;
 use Lemonldap::NG::Common::Regexp;

-our $VERSION = '1.4.0';
+our $VERSION = '1.4.1';

 ## @method protected hashref cstruct(hashref h,string k)
 # Merge $h with the structure produced with $k and return it.
@ -203,7 +203,7 @@ sub cstruct {

                        samlSPMetaDataOptionsAuthnResponse => {
                            _nodes => [
-                                qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse)
+                                qw(samlSPMetaDataOptionsNameIDFormat samlSPMetaDataOptionsNameIDSessionKey samlSPMetaDataOptionsOneTimeUse samlSPMetaDataOptionsSessionNotOnOrAfterTimeout)
                            ],

                            samlSPMetaDataOptionsNameIDFormat =>
@ -213,6 +213,8 @@ sub cstruct {
 "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsNameIDSessionKey",
                            samlSPMetaDataOptionsOneTimeUse =>
 "bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsOneTimeUse",
+                            samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
+"int:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",
                        },

                        samlSPMetaDataOptionsSignature => {
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -476,13 +476,15 @@ sub en {
        samlSPMetaDataOptionsEnableIDPInitiatedURL =>
          'Enable use of IDP initiated URL',
        samlSPMetaDataOptionsNameIDSessionKey => 'Force NameID session key',
-        samlServiceMetaData                   => 'SAML 2 Service',
-        samlEntityID                          => 'Entity Identifier',
-        samlOrganization                      => 'Organization',
-        samlOrganizationDisplayName           => 'Display Name',
-        samlOrganizationName                  => 'Name',
-        samlOrganizationURL                   => 'URL',
-        samlSPSSODescriptor                   => 'Service Provider',
+        samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
+          'sessionNotOnOrAfter duration',
+        samlServiceMetaData         => 'SAML 2 Service',
+        samlEntityID                => 'Entity Identifier',
+        samlOrganization            => 'Organization',
+        samlOrganizationDisplayName => 'Display Name',
+        samlOrganizationName        => 'Name',
+        samlOrganizationURL         => 'URL',
+        samlSPSSODescriptor         => 'Service Provider',
        samlSPSSODescriptorAuthnRequestsSigned =>
          'Signed Authentication Request',
        samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
@ -988,6 +990,8 @@ sub fr {
          "Autoriser l'utilisation d'URL SSO initié par l'IDP",
        samlSPMetaDataOptionsNameIDSessionKey =>
          "Forcer la clé de session NameID",
+        samlSPMetaDataOptionsSessionNotOnOrAfterTimeout =>
+          'Durée sessionNotOnOrAfter',
        samlServiceMetaData         => 'Service SAML 2',
        samlEntityID                => 'Identifiant d\'entité',
        samlOrganization            => 'Organisation',
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@ -11,7 +11,7 @@ use Lemonldap::NG::Portal::Simple;
 use Lemonldap::NG::Portal::_SAML;
 our @ISA = qw(Lemonldap::NG::Portal::_SAML);

-our $VERSION = '1.4.0';
+our $VERSION = '1.4.1';

 ## @method void issuerDBInit()
 # Load and check SAML configuration
@ -1708,7 +1708,11 @@ sub issuerForAuthUser {
                'debug' );

            # Set SessionNotOnOrAfter
-            my $timeout             = $time + $self->{timeout};
+            my $sessionNotOnOrAfterTimeout =
+              $self->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsSessionNotOnOrAfterTimeout};
+            $sessionNotOnOrAfterTimeout ||= $self->{timeout};
+            my $timeout             = $time + $sessionNotOnOrAfterTimeout;
            my $sessionNotOnOrAfter = $self->timestamp2samldate($timeout);
            $authn_statements[0]->SessionNotOnOrAfter($sessionNotOnOrAfter);