[keycloak-user] SAML Assertion Expiration v4.8.0
Hynek Mlnarik
hmlnarik at redhat.com
Mon Sep 2 08:53:49 EDT 2019
Hi,
I suggest to enable debug log on org.keycloak.saml.validators. If it really
turns out to be a clock sync issue, then feel free to add yourself as a
watcher [1] or even submit a PR. It would need to be similar config option
as has been implemented for OIDC identity provider in [2].
Thanks,
--Hynek
[1] https://issues.jboss.org/browse/KEYCLOAK-10884
[2]
https://github.com/keycloak/keycloak/commit/3bef6d5066ffc8323736a2a49c83d230876d8b6c#diff-49725a583d0a1d2f9750ad3ccdeca7e7
On Fri, Aug 16, 2019 at 11:28 AM gambol <gambol99 at gmail.com> wrote:
> Hiya
>
> Was wondering if anyone else has come across this error before. After
> upgrading to v4.8.0 users are complaining about intermittent login failures
> via the federated IDP
>
> 09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator]
> (default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired.
> 09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
> task-434) Assertion expired.
> 09:14:46,188 WARN [org.keycloak.events] (default task-434)
> type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null,
> userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response
>
> The federated IDP is backed by ADFS
>
> Googling around the issue seems to suggest a diff on clocks; but the time
> on all the worker nodes (running in kubernetes) is all fine; and the
> upstream broker (ADFS) said their time is fine.
>
> Anyone seen this before? .. even better, anyone know of a solution? :-)
>
> Thanks in advance
>
> Rohith
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list