5:22 a.m.
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
7:53 a.m.
Hi,
I suggest to enable debug log on org.keycloak.saml.validators. If it really
turns out to be a clock sync issue, then feel free to add yourself as a
watcher [1] or even submit a PR. It would need to be similar config option
as has been implemented for OIDC identity provider in [2].
Thanks,
--Hynek
[1] https://issues.jboss.org/browse/KEYCLOAK-10884
[2]
https://github.com/keycloak/keycloak/commit/3bef6d5066ffc8323736a2a49c83d...
On Fri, Aug 16, 2019 at 11:28 AM gambol <gambol99(a)gmail.com> wrote:
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1942
days inactive
1959
days old
1 comments
2 participants
participants (2)
-
gambol -
Hynek Mlnarik