Error: "Response issue time is either too old or with date in the future" causes SAML SSO users login to fail
search cancel

Error: "Response issue time is either too old or with date in the future" causes SAML SSO users login to fail

book

Article ID: 321885

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • SAML SSO users cannot / unable to login to Cloud Director (VCD).
    • SAML identity provider (IDP) succeeds to authenticate this login request.
    • The text "login-failure-graphic" may be seen in the top-left corner and the user is returned to the login prompt
  • Time on the VCD Cells and the IDP server are out of sync.
  • The /opt/vmware/vcloud-director/logs/vcloud-container-debug.log on the VCD Cells shows entries similar to:

<DATE> | INFO   | pool-jetty-123 | SAMLDefaultLogger       | AuthNResponse;FAILURE;#.#.#.#;https://vcd.example.com/login/org/organization/saml/SSO/alias/vcd;http://idp.example.com/####;;;org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future, skew 60, time <DATE>
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:126)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
    at com.vmware.vcloud.ui.h5auth.filters.CustomSamlProcessingFilter.attemptAuthentication(CustomSamlProcessingFilter.java:30)

Environment

  • VMware Cloud Director 10.6.x, 10.5.x, 10.4.x, 10.3.x

Cause

This issue can be caused by time synchronization problems between the identity provider and the Cloud Director Cells which cause the SAML login to fail.

Resolution

The identity provider and Cloud Director Cells must synchronize to NTP servers to ensure their time is in sync.

  • On the VCD Cells, verify whether VCD can synchronize to NTP servers using the timedatectl status command as per the documentation, Check the NTP Service Status of Your VMware Cloud Director Appliance.
  • To change the NTP settings on VCD Cells follow the steps in the documentation, Change the NTP Server of Your VMware Cloud Director Appliance.
    • Check timesyncd.conf carefully for errors if the ntpdate <time_server> command completes successfully but the status command shows System clock synchronized: no
    • This syntax is documented in the systemd manpages under man 5 timesyncd.conf
  • To change the NTP settings on the identity provider consult with the IDP vendor.

Note: If you encounter this issue in Cloud Director 10.6.x, refer to KB 381873 regarding a known issue with timesyncd.

Powered by Wolken Software