Spring Security Not able to override saml2.ClockSkew value (default is 5 m) in Validation Context of OpenSaml4AuthenticationProvider, keeping default params

Expected Behavior

This method will create a new ValidationContext with only the CLOCK_SKEW param. But I want a way to override the default Validation context and update the clock skew value. Because this way I am missing all other context fields for eg: saml2.SubjectConfirmation.ValidInResponseTo, Which is difficult to generate locally and add in params.

Current Behavior

authenticationProvider.setAssertionValidator(OpenSaml4AuthenticationProvider
            .createDefaultAssertionValidator(assertionToken -> {
                Map<String, Object> params = new HashMap<>();
                params.put(CLOCK_SKEW, Duration.ofMinutes(10).toMillis());
                // ... other validation parameters
                return new ValidationContext(params);
            })
);

By this you had to create a brand new Validation context and you will need to add all the parameters which were added by Spring by yourself.

Context

Basically, I wanted to set the Clock skew value but I could not do it. So we did create our own validation Context. But now with the spring upgrade(5.7.3), we need to set the saml2.SubjectConfirmation.ValidInResponseTo this param as well which is not easy to get . So finally we thought to call the private method of createValidationContext using reflection and pass the additional Params that we need.

Comment From: marcusdacoregio

Hi @babita-verma. Thanks a lot for the report.

This has already been reported in https://github.com/spring-projects/spring-security/issues/11675. I'll close this as duplicate but feel free to add your details to the other issue if needed. The other issue author has volunteered to work on a PR.