The SAMLTokenValidator doesn't verify whether the condition in the SAML token meets the current time.
Yep that sounds good. I would also add a boolean whether to accept client lifetime requests at all (defaults to false).
Agreed. I was first thinking in adding a parameter like "maxLifetime" with a meaningful default like (1 hour). I thought I didn't want to make too many changes but it really makes sense.
What do you think?
Looks good apart from the change to DefaultConditionsProvider - the change means that the STS will issue tokens by default with the conditions requested by the client...potentially a security concern. Maybe we could make this behaviour pluggable or something.
Had to add support for the RST lifetime element in DefaultConditionsProvider to create testcase