opensaml::SecurityPolicyException: Message expired, was issued too long ago
Article ID: 212816
Updated On:
Products
CA Single Sign On Agents (SiteMinder)
Issue/Introduction
When running Shibboleth as SP Federation Service in combination with
SiteMinder IDP, one might see the Shibboleth reports error :
opensaml::SecurityPolicyException: Message expired, was issued too long ago
Cause
The error shows that the issue is on SP side as all IdP
machines are time synced. All machines, including both sides IdP and
SP should be time sync as Sibboleth documentation reports it (1).
From Shibboleth logs, We see that for all those lines, there's a
difference of 8 minutes and 47 seconds.
2021-03-27 09:17:36 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833763), newest allowed (1616833236)
1616833763 : Sat, 27 Mar 2021 08:29:23 GMT
1616833236 : Sat, 27 Mar 2021 08:20:36 GMT
diff = 8 m 47
2021-03-27 09:18:43 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833830), newest allowed (1616833303)
1616833830 : Sat, 27 Mar 2021 08:30:30 GMT
1616833303 : Sat, 27 Mar 2021 08:21:43 GMT
diff = 8 m 47
2021-03-27 09:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [5]: rejected not-yet-valid message, timestamp (1616833966), newest allowed (1616833439)
1616833966 : Sat, 27 Mar 2021 08:32:46 GMT
1616833439 : Sat, 27 Mar 2021 08:23:59 GMT
diff = 8 m 47
2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
1616837566 : Sat, 27 Mar 2021 09:32:46 GMT
1616837039 : Sat, 27 Mar 2021 09:23:59 GMT
diff = 8 m 47
Those lines are reported from Sibboleth source code (2).
Resolution
Make sure that Shibboleth SP side machines are in sync for date, time
and time format as per IdP Siteminder side;
Additional Information
(1)
CommonErrors
opensaml::SecurityPolicyException: Message expired, was issued too
long ago. Barring an actual replay attack, your SP's clock isn't
synchronized with the clock of the IdP that issued the message. All
servers using SAML MUST maintain accurate time. Refer to your OS
documentation for information on how to synchronize with a reliable
time source.
https://wiki.shibboleth.net/confluence/display/SP3/CommonErrors#CommonErrors-opensaml::SecurityPolicyException:Messageexpired,wasissuedtoolongago.
(2)
gitprojects / shibboleth / opensaml2.git / commitdiff
- if (issueInstant > now + skew) {
- log.errorStream() << "rejected not-yet-valid message, timestamp (" << issueInstant <<
- "), newest allowed (" << now + skew << ")" << CategoryStream::ENDLINE;
- throw BindingException("Message rejected, was issued in the future.");
In the last log line :
2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
- if (issueInstant > 10:20:59 + 3) {
- log.errorStream() << "rejected not-yet-valid message, timestamp (" << 09:32:46 <<
- "), newest allowed (" << 09:23:59 << ")" << CategoryStream::ENDLINE;
- throw BindingException("Message rejected, was issued in the future.");
http://www.project-moonshot.org/gitweb/?p=shibboleth/opensaml2.git;a=commitdiff;h=78df12835bde49799a945c6e7a23a95aaec1ab02
Feedback
Yes
No
Powered by
