org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future

Sean Day

unread,

Nov 25, 2020, 1:15:44 PM11/25/20

to CAS Community

Hi,

I have CAS 6.2 configured to authenticate against Azure AD, I have some users that are getting an error:

org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future

It seems to be browser/PC dependent, if they try a different PC it is OK, the assertion seems to be very old in some cases (months old). It only seems to affect CAS based SAML logins though, authenticating against Azure AD directly for O365 for example works as expected.

I know I can workaround this by increasing the setting but does anyone know why I would need to (I already have it set for about 3 months and need to increase it further and I am guessing would have to do this again in the future if I cannot find the cause.

Thanks

Sean

Ray Bon

unread,

Nov 25, 2020, 1:37:43 PM11/25/20

to cas-...@apereo.org

Sean,

This looks like your clock is incorrect.

Use a tool like samltracer to see what is being passed.

You do not want to have large lifetime windows on authentication responses, to limit replay attacks.

Ray

On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

--

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Sean Day

unread,

Nov 25, 2020, 3:20:22 PM11/25/20

to CAS Community, Ray Bon

Hi Ray,

Thanks for the quick response, I have got the users to check the time on their PC plus I have checked the CAS server and all seem to be in sync. Also, the users have noticed that if they use a different browser they can login, I have had users switch from Chrome to Firefox on the same PC and they can login.

I have tried getting them to clear their browser cache but they still experience the same issue.

I have found some similar issues with Azure AD and pac4j here: https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4 where the user set the max auth lifetime really high but again was advised this is not a good idea. I will keep investigating..

Thanks

Sean

Filipe Ribeiro

unread,

Jul 5, 2022, 6:50:30 AM7/5/22

to CAS Community, Sean Day, Ray Bon

Hello Sean,

Have you found something else?

I'm facing this problem as well.

The Azure AccessTokenLifetime is set to 90 days (+/- 5 minutes) and my maximumAuthenticationLifetime is set to 7776000. However, 90 days after I set that property, some users are not able to login using CAS.

How did you solved it?

Best Regards,

Filipe

Reply all

Reply to author

Forward

Message has been deleted