ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

opensaml::SecurityPolicyException: Message expired, was issued too long ago

book

Article ID: 212816

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running Shibboleth as SP Federation Service in combination with
SiteMinder IDP, one might see the Shibboleth reports error :

  opensaml::SecurityPolicyException: Message expired, was issued too long ago

 

Cause

 

The error shows that the issue is on SP side as all IdP
machines are time synced. All machines, including both sides IdP and
SP should be time sync as Sibboleth documentation reports it (1).

From Shibboleth logs, We see that for all those lines, there's a
difference of 8 minutes and 47 seconds.

  2021-03-27 09:17:36 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833763), newest allowed (1616833236)

  1616833763 : Sat, 27 Mar 2021 08:29:23 GMT
  1616833236 : Sat, 27 Mar 2021 08:20:36 GMT

  diff = 8 m 47

  2021-03-27 09:18:43 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833830), newest allowed (1616833303)
  1616833830 : Sat, 27 Mar 2021 08:30:30 GMT
  1616833303 : Sat, 27 Mar 2021 08:21:43 GMT

  diff = 8 m 47

  2021-03-27 09:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [5]: rejected not-yet-valid message, timestamp (1616833966), newest allowed (1616833439)
  1616833966 : Sat, 27 Mar 2021 08:32:46 GMT
  1616833439 : Sat, 27 Mar 2021 08:23:59 GMT

  diff = 8 m 47

  2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
  1616837566 : Sat, 27 Mar 2021 09:32:46 GMT
  1616837039 : Sat, 27 Mar 2021 09:23:59 GMT

  diff = 8 m 47

Those lines are reported from Sibboleth source code (2).

 

Resolution

 

Make sure that Shibboleth SP side machines are in sync for date, time
and time format as per IdP Siteminder side;

 

Additional Information

(1)

    CommonErrors

      opensaml::SecurityPolicyException: Message expired, was issued too
      long ago.  Barring an actual replay attack, your SP's clock isn't
      synchronized with the clock of the IdP that issued the message. All
      servers using SAML MUST maintain accurate time. Refer to your OS
      documentation for information on how to synchronize with a reliable
      time source.

    https://wiki.shibboleth.net/confluence/display/SP3/CommonErrors#CommonErrors-opensaml::SecurityPolicyException:Messageexpired,wasissuedtoolongago.


(2)

    gitprojects / shibboleth / opensaml2.git / commitdiff

      -    if (issueInstant > now + skew) {
      -        log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant <<
      -            "), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE;
      -        throw BindingException("Message rejected, was issued in the future."); 

    In the last log line :

      2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)

      -    if (issueInstant > 10:20:59 + 3) {
      -        log.errorStream() << "rejected not-yet-valid message, timestamp (" << 09:32:46 <<
      -            "), newest allowed (" << 09:23:59 << ")" << CategoryStream::ENDLINE;
      -        throw BindingException("Message rejected, was issued in the future."); 

    http://www.project-moonshot.org/gitweb/?p=shibboleth/opensaml2.git;a=commitdiff;h=78df12835bde49799a945c6e7a23a95aaec1ab02