Env:
OS: Sles12 SP3
Rails: 5.2.6
ruby-saml-1.12.2
In the logs of our saml authenticated app I've seen a burst of occurrences of entries such as:
Current time is earlier than NotBefore condition (2021-06-25 08:56 < 2021-06-25 08:56)
In a log covering almost 3 months, I see ~10 instances, all within the space of an hour.
Unfortunately the resolution of the printed timestamps does not include seconds (or ms), so we cannot see the real diffs.
The behaviour seems to match exacly what is described under the Clock Drift heading for this gem, however looking at
the code in ruby-saml-1.12.2/lib/onelogin/ruby-saml/response.rb I see:
now = Time.now.utc
if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
...
This suggests to me that a negative value of :allowed_clock_drift would need to be set in order to avoid failures incurred by small time diffs.
- Improvement suggestion: can the timestamps in the log messages be printed down to ms accuracy?
- Can you confirm an options setting of
:allowed_clock_drift => -1.second would be appropriate here?
Thanks,
Stefan
Env:
OS: Sles12 SP3
Rails: 5.2.6
ruby-saml-1.12.2
In the logs of our saml authenticated app I've seen a burst of occurrences of entries such as:
Current time is earlier than NotBefore condition (2021-06-25 08:56 < 2021-06-25 08:56)In a log covering almost 3 months, I see ~10 instances, all within the space of an hour.
Unfortunately the resolution of the printed timestamps does not include seconds (or ms), so we cannot see the real diffs.
The behaviour seems to match exacly what is described under the
Clock Driftheading for this gem, however looking atthe code in
ruby-saml-1.12.2/lib/onelogin/ruby-saml/response.rbI see:This suggests to me that a negative value of
:allowed_clock_driftwould need to be set in order to avoid failures incurred by small time diffs.:allowed_clock_drift => -1.secondwould be appropriate here?Thanks,
Stefan