We're running a Policy Server and a CA Access Gateway as IdP, when
these ones create an Assertion as SAMLResponse, the IssueInstant value
is not following the SAML protocol. The time is in local time and not
UTC time :
We send to CA Access Gateway the SAMLRequest with Zulu time :
IssueInstant="2020-12-28T15:50:06Z"
and the Federation Services return in local time :
IssueInstant="2020-12-28T15:43:59.425+01:00"
We see the same behavior on Web Agent Option Pack.
Here's the flow and details of the Assertions :
Test.saz :
Line 2 :
GET http://sps.training.com/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfxeIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8zQWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtIUU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi%2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D
(<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" Destination="https://sps.training.com/affwebservices/public/saml2sso" IsPassive="true" AssertionConsumerServiceURL="https://brz.mybrz.com/consume" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>brz</saml:Issuer></samlp:AuthnRequest>)
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2020 14:43:52 GMT
Server: Apache/2.4.43 (Unix) mod_jk/1.2.48
<form action="https://brz.mybrz.com/consume" method="POST">
<input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8UmVzcG9uc2UgSUQ9Il8yYjkxYTFjMGQ5ZTA2YjM3NjZiNWM3NGVlNTcwY2VkZjU1MTEiIEluUmVzcG9uc2VUbz0iXzRjZDg3OTU5ZDBlZDhlNWQ3OThmZjk5NTRjMmI4ZGQyOTRjYmQ5YTAwNyIgSXNzdWVJbnN0YW50PSIyMDIwLTEyLTI4VDE1OjQzOjU5LjQyNSswMTowMCIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48bnMxOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6bnMxPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5zcHM8L25zMTpJc3N1ZXI+PFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpSZXF1ZXN0ZXIiPjxTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOk5vUGFzc2l2ZSIvPjwvU3RhdHVzQ29kZT48L1N0YXR1cz48L1Jlc3BvbnNlPgoK">
(<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>)
FWSTrace.log :
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][doGet][Query String: SAMLRequest=fZHNbsM
gEIRfxeIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od
%2FLNS3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZ
cZPM8zQWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQ
rJqmtIUU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMo
FQG2%2BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZr
dIiGLi%2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D]
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][getAuthnRequestData][AuthnRequest:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d79
8ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z"
Destination="https://sps.training.com/affwebservices/public/saml2sso"
IsPassive="true" AssertionConsumerServiceURL="https://brz.mybrz.com/consume"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>brz
</saml:Issuer></samlp:AuthnRequest>]
[12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][sendPOSTBindingNoPassiveResponse]
[SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
</StatusCode></Status></Response>
][12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4
-cba94ae1-a55a3f63-1f6f][SSO.java][sendSAMLResponse]
[SAML2 Single Sign-On Service sending SAML Response: <?xml version="1.0"
encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
</StatusCode></Status></Response>.]
smtracedefault.log :
[12/28/2020][15:43:51.603][15:43:51][30735][140503237285632][SmMessage.cpp:557]
[CSmMessage::ParseAgentMessage][s14/r5][sps-training-com][][][][][][][][][]
[][][][][][][][][/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfx
eIem6C4sVEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS
3DRR9dqoOeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8z
QWWIpOpmOdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtI
UU3zzjKJ1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2
BokC%2BSslyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi
%2BrXpsAnpfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D]
[Receive request attribute 201, data size is 480][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][]
[12/28/2020][15:43:52.301][15:43:52][30735][140503237285632][CServer.cpp:6557]
[CServer::Tunnel][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][][][]
[][][][][][][][][][][::ffff:192.168.1.108][][][][Lib='smjavaapi',
Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.
SAMLSPbyIDTunnelService', Server='', Device=''][]
[Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][]
[12/28/2020][15:43:58.400][15:43:58][30735][140503237285632][CServer.cpp:6863]
[][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-00000]
Execution time exceeded threshold. (CServer::Tunnel, 6098, 5000,
agent=sps-training-com client=*192.168.1.111 server=http://sps.training.com
resource=/affwebservices/public/saml2sso?SAMLRequest=fZHNbsMgEIRfxeIem6C4s
VEcKW0OjZSqVuL00EuFATdINrgspD9PXxy3anrJBYllv52ZZQGsa3u68u6od%2FLNS3DRR9dqo
OeHAnmrqWGggGrWSaCO0%2F3qYUtJjGlvjTPctOgCuU4wAGmdMhpFm3WBXmZcZPM8zQWWIpOpm
OdZ0%2BR5OuOkzoQg%2BYzXImcYz1H0JC0EskBhUMABvNxocEy7UMIET6ZkQrJqmtIUU3zzjKJ
1SKM0c2fq6FwPNEmgh9hZprTSrzE3XcKa5l3WwddJcQlJ7%2BtW8WTIQgDMoFQG2%2BokC%2BS
slyha%2FYa4Mxp8J%2B1%2BZA%2B77Z9Mbb%2Fi7nM4Bw0%2BdqKo%2FFnZrdIiGLi%2BrXpsA
npfVeWkfNxXaLkYjNFzersM4xfJZWG8%2Ff%2FP5Tc%3D action=GET user=)][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
The SAML Standard states :
1.3.3 Time Values
All SAML time values have the type xs:dateTime, which is built in to
the W3C XML Schema Datatypes specification [Schema2], and MUST be
expressed in UTC form, with no time zone component. SAML system
entities SHOULD NOT rely on time resolution finer than
milliseconds. Implementations MUST NOT generate time instants that
specify leap seconds.
p.9
IssueInstant [Required]
The time instant of issue in UTC, as described in Section 1.3.3.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
How can we fix this ?
CA Access Gateway (SPS) 12.8SP5 on RedHat 8;
Web Agent Option Pack 12.52SP1CR08 on Tomcat 8.5.53 on RedHat 7;
As per date of February the 18th 2021, the fix will be available in
the next version for both Web Agent Option Pack and CA Access Gateway
(SPS), which will probably be 12.52SP1CR12 of Web Agent Option Pack
and CA Access Gateway (SPS) 12.8SP6.