The SAMLTokenValidator doesn't verify whether the condition in the SAML token meets the current time.
Had to add support for the RST lifetime element in DefaultConditionsProvider to create testcase
Looks good apart from the change to DefaultConditionsProvider - the change means that the STS will issue tokens by default with the conditions requested by the client...potentially a security concern. Maybe we could make this behaviour pluggable or something.
Agreed. I was first thinking in adding a parameter like "maxLifetime" with a meaningful default like (1 hour). I thought I didn't want to make too many changes but it really makes sense.
What do you think?
Yep that sounds good. I would also add a boolean whether to accept client lifetime requests at all (defaults to false).