Error relate to a long time no accessing

hungvu · July 23, 2019, 8:13pm

Hi Support team,

I have integrated and run successfully SAML Add-on. I can login from http://localhost:8080/app
After one day or more, I access the link and then have the below error messages:
I’m not sure whether the issue relate to Spring SAML or the Add-on. Could you have a help?

Thanks so much,
Hung Vu

Error Message:

Caused by: org.opensaml.common.SAMLException: Response doesn’t have any valid assertion which would pass subject validation
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** … 48 common frames omitted**
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2019-07-23T14:03:24.901Z
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** … 49 common frames omitted**

strokov · July 24, 2019, 10:04am

Hi @hungvu,

After logging in IDP, it store information when you logged in and send it in SAML response message. Application validates that this time do not exceed limit declared in ‘cuba.addon.saml.maxAuthenticationAgeSec’. If it does not meet the limit you will catch CredentialsExpiredException. You just need to logout in IDP and try to logging again through SAML. You will enter your IDP credentials and could use SSO until brake the limit.
If you do not need SSO, you could run authentication by SAML in force mode, it means that you must use credentials any time when you will be redirected to the IDP.

hungvu · July 24, 2019, 12:24pm

Hi Mikhail,

Thanks for your explanation.
How can I logout in IDP ? Is it in Cuba app or in IDP server?

Regards,
Hung Vu

strokov · July 25, 2019, 7:16am

Hi @hungvu,

You should logout on IDP server to proceed force authentication when you will use login through saml next time.

Regards,
Mikhail

hungvu · July 29, 2019, 2:13pm

Hi Mikhail,

My question is why no re-direct after token expires?

Thanks,
Hung

strokov · July 31, 2019, 6:21am

Hi @hungvu,

You could handle this on project side, in different projects you need different behaviour. In the addon we just use common way, without custom solutions.

Regards,
Mikhail

hungvu · July 31, 2019, 1:57pm

Hi Mikhail,

Could you have a suggestion how to implement it in Cuba saml add-on sample project?

Thanks,
Hung Vu

igor.sovcik · February 15, 2021, 9:32am

@hungvu i have same issue? how did you addres this?