DLP SSO: Authentication statement is too old to be used with value.
search cancel

DLP SSO: Authentication statement is too old to be used with value.

book

Article ID: 237328

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

When attempting to integrate SSO with DLP, you are presented with the following error in the localhost.log:

 

Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value [YYYY-MM-DDT hh:mm:ssZ]

 

 

Cause

This is caused by a timestamp mismatch between the Service Provider (SP, in our case DLP Enforce) and the Identity Provider (IdP).  In other words, the IdP (frequently seen with OKTA integrations) is creating a token which is outside of DLP's expected timeframe and we are throwing an error. 

Resolution

The best course of action is to correct the server time mismatch between the IdP and SP.  if both servers have the same timestamp, and the error persists then you can sometimes overcome it with the below configuration change.

 

Modify the springSecurityContext.xml file.  Under the bean id "webSSOprofileConsumer" change it from

    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" />

And change it to the following

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
 <property name="maxAuthenticationAge" value="302400" />
</bean>

Additional Information

That property is measured in seconds.  See the below link for more information 

 

WebSSOProfileConsumerImpl