keycloak/keycloak
View on GitHubSAML broker: Assertions without a Conditions element are accepted unconditionally
Open
#48,878 opened on May 11, 2026
area/identity-brokeringhelp wantedkind/weaknesspriority/normalstatus/auto-bumpteam/core-iam
Repository metrics
- Stars
- (34,398 stars)
- PR merge metrics
- (Avg merge 6d 19h) (384 merged PRs in 30d)
Description
Area
SAML
Describe the bug
Admins can not enforce NotBefore and NotOnOrAfter for SAML Identity Providers
Acknowledgement
Thank you to Jason from the TossLab of the University of Toronto who reported this. This was triaged to be a hardening.
Version
26.6.x
Expected behavior
For new providers, the setting should be enabled be default to enforce NotBefore and NotOnOrAfter for assertions.
Actual behavior
Keycloak does not enforce it.
How to Reproduce?
See the code and reproducer provided by Jason
This issue was originally tracked in the private repository. Migrated by @ahus1.