opensaml::SecurityPolicyException: Message expired, was issued too long ago
Article ID: 212816
Updated On:
Products
CA Single Sign On Agents (SiteMinder)
SITEMINDER
CA Single Sign On Federation (SiteMinder)
Issue/Introduction
When running Shibboleth as SP Federation Service in combination with SiteMinder IDP, one might see the Shibboleth reports an error:
opensaml::SecurityPolicyException: Message expired, was issued too long ago
Cause
The error shows that the issue is on the SP side as all IdP machines are time synced. All machines, including both sides IdP and SP should be time sync as shibboleth documentation reports it (1).
From Shibboleth logs, We see that for all those lines, there's a difference of 8 minutes and 47 seconds.
2021-03-27 09:17:36 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833763), newest allowed (1616833236)
1616833763 : Sat, 27 Mar 2021 08:29:23 GMT
1616833236 : Sat, 27 Mar 2021 08:20:36 GMT
diff = 8 m 47
2021-03-27 09:18:43 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833830), newest allowed (1616833303)
1616833830 : Sat, 27 Mar 2021 08:30:30 GMT
1616833303 : Sat, 27 Mar 2021 08:21:43 GMT
diff = 8 m 47
2021-03-27 09:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [5]: rejected not-yet-valid message, timestamp (1616833966), newest allowed (1616833439)
1616833966 : Sat, 27 Mar 2021 08:32:46 GMT
1616833439 : Sat, 27 Mar 2021 08:23:59 GMT
diff = 8 m 47
2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
1616837566 : Sat, 27 Mar 2021 09:32:46 GMT
1616837039 : Sat, 27 Mar 2021 09:23:59 GMT
diff = 8 m 47
Those lines are reported from Shibboleth source code (2).
Resolution
Make sure that Shibboleth SP side machines are in sync for date, time and time format as per IdP Siteminder side;
Additional Information
Feedback
Yes
No
Powered by
