Constraint Error: SAML ticket does not become valid until ...
search cancel

Constraint Error: SAML ticket does not become valid until ...

book

Article ID: 379301

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

For one of our use cases, we are using OAuth SAML grant type and sometimes we are seeing error "SAML Constraint Error: SAML ticket does not become valid until: Wed Sep 25 12:42:41 EDT 2024"

We have decoded the SAML and we see NotBefore="2024-09-25T16:42:41.480Z" and the request came to Layer7 at "2024-09-25T16:42:41.717Z".

This means that the SAML was valid when it reached Layer7.

Below is the decoded SAML for reference.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion
 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bf0c7e8e-2cab-4561-94e9-cc9ca4421951" IssueInstant="2024-09-25T16:42:41.479Z" Version="2.0">
 <saml2:Issuer>Client</saml2:Issuer>
 <ds:Signature
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
   <ds:Reference URI="#_bf0c7e8e-2cab-4561-94e9-cc9ca4421951">
    <ds:Transforms>
     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ds:DigestValue>83sLrBWYQpkghqEDITEDaTsjJqH2dwdGGKUYCeo+769s=</ds:DigestValue>
   </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>...
</ds:SignatureValue>
  <ds:KeyInfo>
   <ds:X509Data>
    <ds:X509Certificate>...</ds:X509Certificate>
   </ds:X509Data>
  </ds:KeyInfo>
 </ds:Signature>
 <saml2:Subject>
  <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">...</saml2:NameID>
  <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
 </saml2:Subject>
 <saml2:Conditions NotBefore="2024-09-25T16:42:41.480Z" NotOnOrAfter="2024-09-25T17:42:41.480Z">
  <saml2:AudienceRestriction>
   <saml2:Audience>https://my.domain.com</saml2:Audience>
  </saml2:AudienceRestriction>
 </saml2:Conditions>
 <saml2:AuthnStatement AuthnInstant="2024-09-25T16:42:41.480Z">
  <saml2:AuthnContext>
   <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
  </saml2:AuthnContext>
 </saml2:AuthnStatement>
</saml2:Assertion>

Environment

CA API Gateway 11.x

OTK 4.6 

Cause

the gateway is not using milliseconds for comparison

Resolution

If you are using our SAML Token Creation Wizard,  this would work too.
There's two ways to work around the millsecond issue:

1. Modify NotBefore in SAML token to be 1 second in the past during SAML token creation

(e.g. if time is 16:42:41, set NotBefore to contain 16:42:40. since it's in the past, it will be valid already assuming zero clock skew)

2. Relax the validity period during SAML token validation by 1 second (e.g. if token presents NotBefore="2024-09-25T16:42:41.480Z", accept it if time is 16:42:40)

Additional Information

DE617576

Powered by Wolken Software