keycloak/keycloak

SAML broker: Assertions without a Conditions element are accepted unconditionally

Open

#48,878 opened on May 11, 2026

View on GitHub
 (1 comment) (1 reaction) (1 assignee)Java (8,346 forks)batch import
area/identity-brokeringhelp wantedkind/weaknesspriority/normalstatus/auto-bumpteam/core-iam

Repository metrics

Stars
 (34,398 stars)
PR merge metrics
 (Avg merge 6d 19h) (384 merged PRs in 30d)

Description

Area

SAML

Describe the bug

Admins can not enforce NotBefore and NotOnOrAfter for SAML Identity Providers

Acknowledgement

Thank you to Jason from the TossLab of the University of Toronto who reported this. This was triaged to be a hardening.

Version

26.6.x

Expected behavior

For new providers, the setting should be enabled be default to enforce NotBefore and NotOnOrAfter for assertions.

Actual behavior

Keycloak does not enforce it.

How to Reproduce?

See the code and reproducer provided by Jason


This issue was originally tracked in the private repository. Migrated by @ahus1.

Contributor guide