SamlAssertionValidator SAML Token condition (Not On Or After) not met

[jeffc <je...@bcbsil.com>]

I am running into issue with service side ws-security for SAML token.

I am getting error:
org.apache.ws.security.WSSecurityException: General security error (SAML
token security failure)
	at
org.apache.ws.security.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:157)

But only real info I get as to what the error might be is this DEBUG log:

2014-10-03 15:28:31,490 [WebContainer : 0]
org.apache.ws.security.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:156)
 DEBUG : SAML Token condition (Not On Or After) not met

However, if I look at the Issue time of SAML assertion and at its (Not On Or
After) saml conditions, it still fall between these SAML conditions (see
SAML assertion below).  So what could be causing this error as it certainly
seems that it should not be failing any (Not On Or After) check as 20:08 is
certainly within 20:06 to 20:13

SAML Assertion:

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="SamlAssertion-7f299a8374127abc6f5ca966bf50d525"
IssueInstant="2014-10-03T20:08:33.564Z" Version="2.0">
<saml2:Issuer>https://mysts/endpoint1</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="">jeffc</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore=&quot;2014-10-03T20:06:33.565Z&quot;
NotOnOrAfter=&quot;2014-10-03T&lt;b>20:13*:33.565Z"></saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="cn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>cn=EVENT_TAB,ou=Admin,ou=Authorities,ou=MyApp1,ou=Services,o=LDAP</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2014-10-03T20:08:33.564Z">
<saml2:SubjectLocality Address="10.134.99.99"></saml2:SubjectLocality>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>






--
View this message in context: http://cxf.547215.n5.nabble.com/SamlAssertionValidator-SAML-Token-condition-Not-On-Or-After-not-met-tp5749413.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: SamlAssertionValidator SAML Token condition (Not On Or After) not met

[Colm O hEigeartaigh <co...@apache.org>]

> I still do not get the error though as it is "After" since the Issue time
in
> SAML token shows 20:08 and the conditions had the on or after condition
set
> as 20:06

No the "NotBefore" time in the Assertion is "20:06". The "NotOnOrAfter"
time is "20:13:33". The local time of the server, according to the logging
was "15:28:31". Assuming a 5 hour time difference, the token is expired by
15 minutes when it hits the server.

Colm.

On Mon, Oct 6, 2014 at 5:26 PM, jeffc <je...@bcbsil.com> wrote:

> That "*" was an issue from when I tried to use nabble's message HTML
> formats
> for bold to highlight the times in the pasted XML.  But it did not work in
> XML so I removed nabble ** formatting but must have missed a spot.
>
> I still do not get the error though as it is "After" since the Issue time
> in
> SAML token shows 20:08 and the conditions had the on or after condition set
> as 20:06
>
> I had the admins verify the time synchronization between our STS server and
> the applications server on which the service resides and they are in sync.
> So why are we seeing this error and what are the options to resolve?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SamlAssertionValidator-SAML-Token-condition-Not-On-Or-After-not-met-tp5749413p5749477.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: SamlAssertionValidator SAML Token condition (Not On Or After) not met

[jeffc <je...@bcbsil.com>]

That "*" was an issue from when I tried to use nabble's message HTML formats
for bold to highlight the times in the pasted XML.  But it did not work in
XML so I removed nabble ** formatting but must have missed a spot.

I still do not get the error though as it is "After" since the Issue time in
SAML token shows 20:08 and the conditions had the on or after condition set
as 20:06

I had the admins verify the time synchronization between our STS server and
the applications server on which the service resides and they are in sync. 
So why are we seeing this error and what are the options to resolve?



--
View this message in context: http://cxf.547215.n5.nabble.com/SamlAssertionValidator-SAML-Token-condition-Not-On-Or-After-not-met-tp5749413p5749477.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: SamlAssertionValidator SAML Token condition (Not On Or After) not met

[Colm O hEigeartaigh <co...@apache.org>]

The error is that the "NotOnOrAfter" time is "before" the current time:

> 2014-10-03 15:28:31,490 [WebContainer : 0]
> NotOnOrAfter="2014-10-03T<b>20:13*:33.565Z"

Assuming a 5 hour time difference to UTC, the NotOnOrAfter time is 20:13
(not sure what the "*" is above) + the current time in UTC is 20:28....

Colm.


On Sat, Oct 4, 2014 at 12:06 AM, jeffc <je...@bcbsil.com> wrote:

> Forgot to mention, I am using CXF 2.7.11 version
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SamlAssertionValidator-SAML-Token-condition-Not-On-Or-After-not-met-tp5749413p5749414.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: SamlAssertionValidator SAML Token condition (Not On Or After) not met

[jeffc <je...@bcbsil.com>]

Forgot to mention, I am using CXF 2.7.11 version



--
View this message in context: http://cxf.547215.n5.nabble.com/SamlAssertionValidator-SAML-Token-condition-Not-On-Or-After-not-met-tp5749413p5749414.html
Sent from the cxf-user mailing list archive at Nabble.com.