Add clockSkewTolerance setting

Author: pdavide

advanced_settings_example.php

@@ -81,6 +81,10 @@
         // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
         'wantXMLValidation' => true,
 
+        // The clock skew tolerance (in seconds) for the validation of the
+        // IssueInstant attribute in the received responses.
+        'clockSkewTolerance' => 180,
+
         // If true, SAMLResponses with an empty value at its Destination
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,

lib/Saml2/Settings.php

@@ -398,6 +398,11 @@ private function _addDefaultValues()
             $this->_security['wantXMLValidation'] = true;
         }
 
+        // Clock skew tolerance
+        if (!isset($this->_security['clockSkewTolerance'])) {
+            $this->_security['clockSkewTolerance'] = 0;
+        }
+
         // SignatureAlgorithm
         if (!isset($this->_security['signatureAlgorithm'])) {
             $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;

tests/src/OneLogin/Saml2/SettingsTest.php

@@ -918,6 +918,7 @@ public function testGetSecurityData()
         $this->assertArrayHasKey('wantNameIdEncrypted', $security);
         $this->assertArrayHasKey('requestedAuthnContext', $security);
         $this->assertArrayHasKey('wantXMLValidation', $security);
+        $this->assertArrayHasKey('clockSkewTolerance', $security);
         $this->assertArrayHasKey('wantNameId', $security);
     }