SAML authentication in PKS failed with error "System cannot honor OneTimeUse condition of the Assertion for WebSSO"
search cancel

SAML authentication in PKS failed with error "System cannot honor OneTimeUse condition of the Assertion for WebSSO"

book

Article ID: 316834

calendar_today

Updated On:

Products

VMware Cloud PKS

Issue/Introduction

Symptoms:
  • SAML authentication in Enterprise PKS fails with an error similar to the following:
Error: SAMLException: System cannot honor OneTimeUse condition of the Assertion for WebSSO
  • You see messages similar to the following in the uaa.log file :
[2020-06-17 09:39:00.975] uaa - 17 [https-jsse-nio-8443-exec-3] ....  INFO --- SAMLDefaultLogger: AuthNResponse;FAILURE;172.29.17.77;vmw-k8s-pks.net1.cec.eu.int:8443;urn:ec.europa.eu:eulogin:acceptance:saml;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
.
.
Caused by: org.opensaml.common.SAMLException: System cannot honor OneTimeUse condition of the Assertion for WebSSO
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:462)
   
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware PKS 1.x

Cause

This is not a PKS specific issue. PKS/TKGI uses spring framework for SAML and spring framework does not support OneTimeUse condition. 

Resolution

This is a known issue affecting VMware Enterprise PKS (Tanzu Kubernetes Grid Integrated Edition). There is currently no resolution.

Additional Information

https://github.com/spring-projects/spring-security/issues/8769
https://jira.spring.io/browse/SES-172

Powered by Wolken Software