AuthnResponse contains not SAML compliant Timestamp

book

Article ID: 208775

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running a Policy Server and a CA Access Gateway as IdP, when
these ones create an Assertion as SAMLResponse, the IssueInstant value
is not following the SAML protocol. The time is in local time and not
UTC time :

We send to CA Access Gateway the SAMLRequest with Zulu time :

   IssueInstant="2020-12-28T15:50:06Z"

and the Federation Services return in local time :

   IssueInstant="2020-12-28T15:43:59.425+01:00"

We see the same behavior on Web Agent Option Pack.

Here's the flow and details of the Assertions :

Test.saz :

Line 2 :

GET http://sps.training.com/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfxeIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8zQWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtIUU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi%2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D

(<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" Destination="https://sps.training.com/affwebservices/public/saml2sso" IsPassive="true" AssertionConsumerServiceURL="https://brz.mybrz.com/consume" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>brz</saml:Issuer></samlp:AuthnRequest>)

  HTTP/1.1 200 OK
  Date: Mon, 28 Dec 2020 14:43:52 GMT
  Server: Apache/2.4.43 (Unix) mod_jk/1.2.48

  <form action="https://brz.mybrz.com/consume" method="POST">
  <input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8UmVzcG9uc2UgSUQ9Il8yYjkxYTFjMGQ5ZTA2YjM3NjZiNWM3NGVlNTcwY2VkZjU1MTEiIEluUmVzcG9uc2VUbz0iXzRjZDg3OTU5ZDBlZDhlNWQ3OThmZjk5NTRjMmI4ZGQyOTRjYmQ5YTAwNyIgSXNzdWVJbnN0YW50PSIyMDIwLTEyLTI4VDE1OjQzOjU5LjQyNSswMTowMCIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48bnMxOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6bnMxPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5zcHM8L25zMTpJc3N1ZXI+PFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpSZXF1ZXN0ZXIiPjxTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOk5vUGFzc2l2ZSIvPjwvU3RhdHVzQ29kZT48L1N0YXR1cz48L1Jlc3BvbnNlPgoK">

  (<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>)

FWSTrace.log :

  [12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][doGet][Query String: SAMLRequest=fZHNbsM
  gEIRfxeIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od
  %2FLNS3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZ
  cZPM8zQWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQ
  rJqmtIUU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMo
  FQG2%2BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZr
  dIiGLi%2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D]

  [12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][getAuthnRequestData][AuthnRequest: 
  <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d79
  8ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" 
  Destination="https://sps.training.com/affwebservices/public/saml2sso" 
  IsPassive="true" AssertionConsumerServiceURL="https://brz.mybrz.com/consume" 
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>brz
  </saml:Issuer></samlp:AuthnRequest>]

  [12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][sendPOSTBindingNoPassiveResponse]
  [SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" 
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" 
  IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" 
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer 
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
  </StatusCode></Status></Response>

  ][12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4
  -cba94ae1-a55a3f63-1f6f][SSO.java][sendSAMLResponse]
  [SAML2 Single Sign-On Service sending SAML Response: <?xml version="1.0" 
  encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" 
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" 
  IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" 
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer 
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
  </StatusCode></Status></Response>.]

smtracedefault.log :

  [12/28/2020][15:43:51.603][15:43:51][30735][140503237285632][SmMessage.cpp:557]
  [CSmMessage::ParseAgentMessage][s14/r5][sps-training-com][][][][][][][][][]
  [][][][][][][][][/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfx
  eIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS
  3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8z
  QWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtI
  UU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2
  BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi
  %2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D]
  [Receive request attribute 201, data size is 480][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][]

  [12/28/2020][15:43:52.301][15:43:52][30735][140503237285632][CServer.cpp:6557]
  [CServer::Tunnel][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][][][]
  [][][][][][][][][][][::ffff:192.168.1.108][][][][Lib='smjavaapi', 
  Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.
  SAMLSPbyIDTunnelService', Server='', Device=''][] 
  [Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][]

  [12/28/2020][15:43:58.400][15:43:58][30735][140503237285632][CServer.cpp:6863]
  [][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-00000] 
  Execution time exceeded threshold. (CServer::Tunnel, 6098, 5000, 
  agent=sps-training-com client=*192.168.1.111 server=http://sps.training.com 
  resource=/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfxeIem6C4s
  VEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS3DRR9dqo
  OeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8zQWWIpOpm
  OdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtIUU3zzjKJ
  1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2BokC%2BS
  slyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi%2BrXpsA
  npfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D action=GET user=)][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

The SAML Standard states :

  1.3.3 Time Values

  All SAML time values have the type xs:dateTime, which is built in to
  the W3C XML Schema Datatypes specification [Schema2], and MUST be
  expressed in UTC form, with no time zone component.  SAML system
  entities SHOULD NOT rely on time resolution finer than
  milliseconds. Implementations MUST NOT generate time instants that
  specify leap seconds.

  p.9

  IssueInstant [Required]

  The time instant of issue in UTC, as described in Section 1.3.3.

  https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

How can we fix this ?

 

Environment

 

 CA Access Gateway (SPS) 12.8SP5 on RedHat 8;
 Web Agent Option Pack 12.52SP1CR08 on Tomcat 8.5.53 on RedHat 7;

 

Resolution

 

As per date of February the 18th 2021, the fix will be available in
the next version for both Web Agent Option Pack and CA Access Gateway
(SPS), which will probably be 12.52SP1CR12 of Web Agent Option Pack
and CA Access Gateway (SPS) 12.8SP6.