Error relate to a long time no accessing

Hi Support team,

I have integrated and run successfully SAML Add-on. I can login from http://localhost:8080/app
After one day or more, I access the link and then have the below error messages:
I’m not sure whether the issue relate to Spring SAML or the Add-on. Could you have a help?

Thanks so much,
Hung Vu

Error Message:

Caused by: org.opensaml.common.SAMLException: Response doesn’t have any valid assertion which would pass subject validation
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** … 48 common frames omitted**
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2019-07-23T14:03:24.901Z
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) ~[spring-security-saml2-core-1.0.4.RELEASE.jar:1.0.4.RELEASE]**
** … 49 common frames omitted**

Hi @hungvu,

After logging in IDP, it store information when you logged in and send it in SAML response message. Application validates that this time do not exceed limit declared in ‘cuba.addon.saml.maxAuthenticationAgeSec’. If it does not meet the limit you will catch CredentialsExpiredException. You just need to logout in IDP and try to logging again through SAML. You will enter your IDP credentials and could use SSO until brake the limit.
If you do not need SSO, you could run authentication by SAML in force mode, it means that you must use credentials any time when you will be redirected to the IDP.

Hi Mikhail,

Thanks for your explanation.
How can I logout in IDP ? Is it in Cuba app or in IDP server?

Regards,
Hung Vu

Hi @hungvu,

You should logout on IDP server to proceed force authentication when you will use login through saml next time.

Regards,
Mikhail

Hi Mikhail,

My question is why no re-direct after token expires?

Thanks,
Hung

Hi @hungvu,

You could handle this on project side, in different projects you need different behaviour. In the addon we just use common way, without custom solutions.

Regards,
Mikhail

Hi Mikhail,

Could you have a suggestion how to implement it in Cuba saml add-on sample project?

Thanks,
Hung Vu

@hungvu i have same issue? how did you addres this?