SAML Assertion Policy - saml.authnSnooa - unresolved variable

Not applicable

I am using the Generate SAML assertion OOB policy and would like to place a NotOnOrAfter attribute on the Conditions and SubjectConfirmationData nodes and tried to use the

saml.authnSnooaAuthnStatement SessionNotOnOrAfter

attribute as documented at SAML Assertion policy

I am receiving an error message when using this variable:
"Unresolved variable : saml.authnSnooa"

I suspect this is because we are running under v 4.16.01.02.

What are others using to determine the NotOnOrAfter value (are you using javascript to generate a value in the future or is there another variable that is not documented that I do not know about?). Is there a link to old version documentation?

I know this variable isn't likely the best one to use but I wanted to use something that I could configure/override if necessary

Solved Solved
1 2 125
1 ACCEPTED SOLUTION

I think the documentation may be unclear in this case. From my understanding, the saml.authnSnooa variable is SET when using ValidateSAMLAssertion . But from your description you are trying to Generate a SAML Assertion.

So I think the best approach, for you to specify an expiry "in the future" when generating a SAML Assertion, is to do as you suggested: use javascript to generate a value in the future.

The value should look like 2017-03-20T20:29:48Z, or 2017-03-20T13:29:48+07:00

And you can include it by using a Template in the GenerateSAMLAssertion policy, surrounding the variable you set with curly-braces, like this in the template:

        <saml:Conditions NotBefore="{mysaml.now}" 
                   NotOnOrAfter="{mysaml.expiry}">

For generating strings of that type, I use moment.js in nodejs, but in a JS callout in Apigee Edge, I might use a smaller dateFormat library. Like this one. And you'd use it like this:

function addHours(d,h) {
  var d1 = new Date();
  d1.setTime(d.getTime() + h * 60 * 60 * 1000); 
  return d1;
}
var now = new Date();
var later = addHours(now, 12); 
context.setVariable('mysaml.now', dateFormat(now,"c"));
context.setVariable('mysaml.expiry', dateFormat(later,"c"));

View solution in original post

2 REPLIES 2

I think the documentation may be unclear in this case. From my understanding, the saml.authnSnooa variable is SET when using ValidateSAMLAssertion . But from your description you are trying to Generate a SAML Assertion.

So I think the best approach, for you to specify an expiry "in the future" when generating a SAML Assertion, is to do as you suggested: use javascript to generate a value in the future.

The value should look like 2017-03-20T20:29:48Z, or 2017-03-20T13:29:48+07:00

And you can include it by using a Template in the GenerateSAMLAssertion policy, surrounding the variable you set with curly-braces, like this in the template:

        <saml:Conditions NotBefore="{mysaml.now}" 
                   NotOnOrAfter="{mysaml.expiry}">

For generating strings of that type, I use moment.js in nodejs, but in a JS callout in Apigee Edge, I might use a smaller dateFormat library. Like this one. And you'd use it like this:

function addHours(d,h) {
  var d1 = new Date();
  d1.setTime(d.getTime() + h * 60 * 60 * 1000); 
  return d1;
}
var now = new Date();
var later = addHours(now, 12); 
context.setVariable('mysaml.now', dateFormat(now,"c"));
context.setVariable('mysaml.expiry', dateFormat(later,"c"));

@Floyd Jones - you might want to review the doc on SAML policies, in light of this question...