opensaml::SecurityPolicyException: Message expired, was issued too long ago
search cancel

opensaml::SecurityPolicyException: Message expired, was issued too long ago

book

Article ID: 212816

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 
When running Shibboleth as SP Federation Service in combination with SiteMinder IDP, one might see the Shibboleth reports an error:

  opensaml::SecurityPolicyException: Message expired, was issued too long ago
 

Cause

 

The error shows that the issue is on the SP side as all IdP machines are time synced. All machines, including both sides IdP and SP should be time sync as shibboleth documentation reports it (1).

From Shibboleth logs, for all those lines, there's a difference of 8 minutes and 47 seconds.

  2021-03-27 09:17:36 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833763), newest allowed (1616833236)

  1616833763 : Sat, 27 Mar 2021 08:29:23 GMT
  1616833236 : Sat, 27 Mar 2021 08:20:36 GMT

  diff = 8 m 47

  2021-03-27 09:18:43 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833830), newest allowed (1616833303)
  1616833830 : Sat, 27 Mar 2021 08:30:30 GMT
  1616833303 : Sat, 27 Mar 2021 08:21:43 GMT

  diff = 8 m 47

  2021-03-27 09:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [5]: rejected not-yet-valid message, timestamp (1616833966), newest allowed (1616833439)
  1616833966 : Sat, 27 Mar 2021 08:32:46 GMT
  1616833439 : Sat, 27 Mar 2021 08:23:59 GMT

  diff = 8 m 47

  2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
  1616837566 : Sat, 27 Mar 2021 09:32:46 GMT
  1616837039 : Sat, 27 Mar 2021 09:23:59 GMT

diff = 8 m 47

 

Those lines are reported from Shibboleth source code.

 

Resolution


Make sure that Shibboleth SP side machines are in sync for date, time and time format as per IdP SiteMinder side.

 

Additional Information

 

 

  1. CommonErrors