[keycloak-user] SAML Assertion Expiration v4.8.0
gambol
gambol99 at gmail.com
Fri Aug 16 06:22:57 EDT 2019
Hiya
Was wondering if anyone else has come across this error before. After
upgrading to v4.8.0 users are complaining about intermittent login failures
via the federated IDP
09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-434) Assertion expired.
09:14:46,188 WARN [org.keycloak.events] (default task-434)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
The federated IDP is backed by ADFS
Googling around the issue seems to suggest a diff on clocks; but the time
on all the worker nodes (running in kubernetes) is all fine; and the
upstream broker (ADFS) said their time is fine.
Anyone seen this before? .. even better, anyone know of a solution? :-)
Thanks in advance
Rohith
More information about the keycloak-user
mailing list