* The clock drift on the validate_session_expiration test was removing available time instead of padding the test with extra time. Added the padding to SessionNotOnOrAfter instead of Time.now

Author: sthanson

lib/onelogin/ruby-saml/response.rb

@@ -515,7 +515,7 @@ def validate_session_expiration(soft = true)
         return true if session_expires_at.nil?
 
         now = Time.now.utc
-        unless session_expires_at > (now + allowed_clock_drift)
+        unless (session_expires_at + allowed_clock_drift) > now
           error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"
           return append_error(error_msg)
         end

test/response_test.rb

@@ -630,6 +630,17 @@ class RubySamlTest < Minitest::Test
         assert !response.send(:validate_session_expiration)
         assert_includes response.errors, "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"
       end
+      
+      it "returns true when the session has expired, but is still within the allowed_clock_drift" do
+        drift = (Time.now - Time.parse("2010-11-19T21:57:37Z")) * 60 # minutes ago that this assertion expired
+        drift += 10 # add a buffer of 10 minutes to make sure the test passes
+
+        response_with_drift = OneLogin::RubySaml::Response.new(response_document_without_recipient,
+                                                               {allowed_clock_drift: drift})
+        response_with_drift.settings = settings
+        assert response_with_drift.send(:validate_session_expiration)
+        assert_empty response_with_drift.errors
+      end
     end
 
     describe "#validate_signature" do