ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Late response

book

Article ID: 208337

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running Federation Services and these one produces SAMLResponses
which are out of the SAML Assertion "NotBefore" and the "NotOnOrAfter"
values which seems to cause error 500 on the SP side.

How can we fix this ?

 

Cause

 

The AuthnInstant is not the time the assertion gets generated, but
when the user initates the Federation journey. 

  Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0

    AuthnInstant [Required]

    Specifies the time at which the authentication took place. The
    time value is encoded in UTC, as described in Section 1.3.3.

    NotOnOrAfter [Optional]

    Specifies the time instant at which the assertion has expired. The
    time value is encoded in UTC, as described in Section 1.3.3.

    2.5.1.2 Attributes NotBefore and NotOnOrAfter

    The NotBefore and NotOnOrAfter attributes specify time limits on the
    validity of the assertion within the context of its profile(s) of
    use. They do not guarantee that the statements in the assertion will
    be correct or accurate throughout the validity period.  The
    NotBefore attribute specifies the time instant at which the validity
    interval begins. The NotOnOrAfter attribute specifies the time
    instant at which the validity interval has ended.  If the value for
    either NotBefore or NotOnOrAfter is omitted, then it is considered
    unspecified

  https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

From the "SAML-traces.txt", we see that the
myhost.mydomain-abc.com server reports time more than 3 days
before and suddently jump to the expected date and time.

SAML-traces.txt :

      "method": "GET",
      "url": "https://myhost.mydomain-abc.com:1443/myApps",

      "get": [],
      "responseStatus": 301,
      "responseStatusText": "HTTP/1.1 301 Moved Permanently",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Wed, 20 Jan 2021 23:24:26 GMT"

      [...]

      "method": "GET",
      "url": "https://myhost.mydomain-abc.com:1443/myApps/",
      "responseStatus": 200,
      "responseStatusText": "HTTP/1.1 200 OK",
          "name": "Date",
          "value": "Wed, 20 Jan 2021 23:24:33 GMT"

      [...]

      "method": "GET",
      "url": "https://myhost.mydomain-abc.com:1443/myApps/servlet/myApps",
      "get": [],
      "responseStatus": 302,
          "name": "Date",
          "value": "Sun, 24 Jan 2021 07:13:42 GMT"

 

Environment

 

Policy Server 12.8SP5 on RedHat 8
CA Access Gateway (SPS) 12.8SP5 on RedHat 8

 

Resolution

 

You need to insure all machines are at the same date and time
continuously, and more, that the Time services on these machines have
no problem at all. Consult the OS and network team on this.

The date and time is not given by the software itself, but from the
OS.

The following KD reports same issue with the same solution :

  SAML Requests Failing on 1 Production Node
  https://knowledge.broadcom.com/external/article?articleId=118539

 

Powered by Wolken Software