We're running Federation Services and these one produces SAMLResponses
which are out of the SAML Assertion "NotBefore" and the "NotOnOrAfter"
values which seems to cause error 500 on the SP side.
How can we fix this ?
The AuthnInstant is not the time the assertion gets generated, but
when the user initates the Federation journey.
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
AuthnInstant [Required]
Specifies the time at which the authentication took place. The
time value is encoded in UTC, as described in Section 1.3.3.
NotOnOrAfter [Optional]
Specifies the time instant at which the assertion has expired. The
time value is encoded in UTC, as described in Section 1.3.3.
2.5.1.2 Attributes NotBefore and NotOnOrAfter
The NotBefore and NotOnOrAfter attributes specify time limits on the
validity of the assertion within the context of its profile(s) of
use. They do not guarantee that the statements in the assertion will
be correct or accurate throughout the validity period. The
NotBefore attribute specifies the time instant at which the validity
interval begins. The NotOnOrAfter attribute specifies the time
instant at which the validity interval has ended. If the value for
either NotBefore or NotOnOrAfter is omitted, then it is considered
unspecified
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
From the "SAML-traces.txt", we see that the
myhost.mydomain-abc.com server reports time more than 3 days
before and suddently jump to the expected date and time.
SAML-traces.txt :
"method": "GET",
"url": "https://myhost.mydomain-abc.com:1443/myApps",
"get": [],
"responseStatus": 301,
"responseStatusText": "HTTP/1.1 301 Moved Permanently",
"responseHeaders": [
{
"name": "Date",
"value": "Wed, 20 Jan 2021 23:24:26 GMT"
[...]
"method": "GET",
"url": "https://myhost.mydomain-abc.com:1443/myApps/",
"responseStatus": 200,
"responseStatusText": "HTTP/1.1 200 OK",
"name": "Date",
"value": "Wed, 20 Jan 2021 23:24:33 GMT"
[...]
"method": "GET",
"url": "https://myhost.mydomain-abc.com:1443/myApps/servlet/myApps",
"get": [],
"responseStatus": 302,
"name": "Date",
"value": "Sun, 24 Jan 2021 07:13:42 GMT"
Policy Server 12.8SP5 on RedHat 8
CA Access Gateway (SPS) 12.8SP5 on RedHat 8
You need to insure all machines are at the same date and time
continuously, and more, that the Time services on these machines have
no problem at all. Consult the OS and network team on this.
The date and time is not given by the software itself, but from the
OS.
The following KD reports same issue with the same solution :
SAML Requests Failing on 1 Production Node
https://knowledge.broadcom.com/external/article?articleId=118539