SAML Authorization error after session timeout in Enforce console
search cancel

SAML Authorization error after session timeout in Enforce console

book

Article ID: 231995

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Core Package

Issue/Introduction

When implementing SAML an authorization error is encountered when the session timeouts. When this happens, you are unable to log back into the console. The only workaround is to open the browser in a private window or log out of your IdP and login back in.

Environment

Release : 15.x.

Component : SAML

Cause

In the tomcat localhost logs, SAML errors are found that the Authentication statement is too old to be used.

Thread: 123 FINE [org.springframework.security.saml.SAMLAuthenticationProvider] Error validating SAML message
Cause:org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validationorg.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 0000-00-00T00:00:00.000Z
Thread: 123 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] AuthNResponse;FAILURE;10.10.10.10;https://dlp-enforce.local/ProtectManager/saml/metadata;https://saml_url/idp;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 0000-00-00T00:00:00.000Z

Resolution

In the springSecurityContext.xml the property names "forceAuthN" and/or "maxAuthenticationAge" can be adjusted to remediate the issue.

X:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.x\Protect\tomcat\webapps\ProtectManager\WEB-INF\springSecurityContext.xml

/opt/Symantec/DataLossPrevention/EnforceServer/15.x/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml

<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="forceAuthN" value="true" />
</bean>

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<property name="maxAuthenticationAge" value="43200" />
</bean>

 

Powered by Wolken Software