Keycloak SAML Brokering NotOnOrAfter Timestamp Validation Vulnerability

A vulnerability exists in Keycloak's SAML brokering feature. When Keycloak acts as a client in a SAML configuration, it does not properly validate the 'NotOnOrAfter' timestamp in the 'SubjectConfirmationData'. This oversight allows an attacker to prolong the validity of SAML responses, potentially leading to longer-than-expected session times or increased resource usage.

Impact

Exploitation of this vulnerability could result in extended session durations or higher resource consumption.

Reproduction

To reproduce this vulnerability, configure Keycloak to act as a SAML client. When a SAML response is received, the 'NotOnOrAfter' timestamp in the 'SubjectConfirmationData' will not be validated. This can be observed by sending a SAML response with a 'NotOnOrAfter' timestamp that is deliberately set to a later time, allowing the response to be considered valid for a longer period than intended.