I am using the Generate SAML assertion OOB policy and would like to place a NotOnOrAfter attribute on the Conditions and SubjectConfirmationData nodes and tried to use the
saml.authnSnooa | AuthnStatement SessionNotOnOrAfter |
attribute as documented at SAML Assertion policy
I am receiving an error message when using this variable:
"Unresolved variable : saml.authnSnooa"
I suspect this is because we are running under v 4.16.01.02.
What are others using to determine the NotOnOrAfter value (are you using javascript to generate a value in the future or is there another variable that is not documented that I do not know about?). Is there a link to old version documentation?
I know this variable isn't likely the best one to use but I wanted to use something that I could configure/override if necessary
Solved! Go to Solution.
I think the documentation may be unclear in this case. From my understanding, the saml.authnSnooa variable is SET when using ValidateSAMLAssertion . But from your description you are trying to Generate a SAML Assertion.
So I think the best approach, for you to specify an expiry "in the future" when generating a SAML Assertion, is to do as you suggested: use javascript to generate a value in the future.
The value should look like 2017-03-20T20:29:48Z, or 2017-03-20T13:29:48+07:00
And you can include it by using a Template in the GenerateSAMLAssertion policy, surrounding the variable you set with curly-braces, like this in the template:
<saml:Conditions NotBefore="{mysaml.now}" NotOnOrAfter="{mysaml.expiry}">
For generating strings of that type, I use moment.js in nodejs, but in a JS callout in Apigee Edge, I might use a smaller dateFormat library. Like this one. And you'd use it like this:
function addHours(d,h) { var d1 = new Date(); d1.setTime(d.getTime() + h * 60 * 60 * 1000); return d1; } var now = new Date(); var later = addHours(now, 12); context.setVariable('mysaml.now', dateFormat(now,"c")); context.setVariable('mysaml.expiry', dateFormat(later,"c"));
I think the documentation may be unclear in this case. From my understanding, the saml.authnSnooa variable is SET when using ValidateSAMLAssertion . But from your description you are trying to Generate a SAML Assertion.
So I think the best approach, for you to specify an expiry "in the future" when generating a SAML Assertion, is to do as you suggested: use javascript to generate a value in the future.
The value should look like 2017-03-20T20:29:48Z, or 2017-03-20T13:29:48+07:00
And you can include it by using a Template in the GenerateSAMLAssertion policy, surrounding the variable you set with curly-braces, like this in the template:
<saml:Conditions NotBefore="{mysaml.now}" NotOnOrAfter="{mysaml.expiry}">
For generating strings of that type, I use moment.js in nodejs, but in a JS callout in Apigee Edge, I might use a smaller dateFormat library. Like this one. And you'd use it like this:
function addHours(d,h) { var d1 = new Date(); d1.setTime(d.getTime() + h * 60 * 60 * 1000); return d1; } var now = new Date(); var later = addHours(now, 12); context.setVariable('mysaml.now', dateFormat(now,"c")); context.setVariable('mysaml.expiry', dateFormat(later,"c"));
@Floyd Jones - you might want to review the doc on SAML policies, in light of this question...
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |