Spring Saml Security authentication issue due to time zone difference between the IP and SP

2
votes

Printed below is stack trace of auth failure issue caused due to time zone difference between IP and SP. Is there a way to configure this in spring security?

org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future, skew 60, time 2015-06-11T09:27:49.000Z at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:126) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

1
spring-samlsaml-2.0
I'm having the same issue - the skew is off by the time distance of my location from UTC. I'd rather not open the skew up to a large number though...SingleShot

1 Answers

1
votes

You can take help from spring-saml docs to configure the WebSSOProfileConsumerImpl bean to configure time.

You can try updating time for refreshToken metadata

<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
    <constructor-arg>
      <bean class="java.util.Timer"/>
    </constructor-arg>
    <constructor-arg>
        <bean class="org.opensaml.util.resource.ClasspathResource">
         <constructor-arg value="/metadata/idp.xml"/>
        </bean>
    </constructor-arg>
 <property name="parserPool" ref="parserPool"/>
 <property name="minRefreshDelay" value="120000"/>
 <property name="maxRefreshDelay" value="300000"/>
</bean>

and try updating maxAuthenticationAge time also.

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
        <property name="maxAuthenticationAge" value="28800"/>
    </bean>