Hello Cas users,
I am struggling to adjust my NotBefore/NotOnOrAfter from SAMLResponse. CAS version is 5.0.5
It shows NotBefore and NotOnOrAfter are same.
Because of it, our counterpart SP spits the following error.
Exception details:
System.Xml.XmlException: ID4125: An error occurred reading XML data. ---> System.ArgumentException: ID4116: NotBefore must be earlier than NotOnOrAfter.
Parameter name: value
I tried to manipulate it by changing the following cas.properties. However, I have no luck to change them. Please let me know if you have any good solutions.
cas.samlCore.skewAllowance=60
cas.authn.samlIdp.response.skewAllowance=60
cas.authn.samlIdp.response.signError=false
2017-06-26 13:42:04,892 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.ResponseImpl]
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_2338965460137167800" IssueInstant="2017-06-26T17:42:04.866Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://cas.example.org/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7035195026768023951" IssueInstant="2017-06-26T17:42:04.856Z" Version="2.0"><saml2:Issuer>https://cas.example.org/idp</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">example</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-0cf17c5c-aaec-4ac2-bbf0-e5a8aa7ca757" NotOnOrAfter="2017-06-26T17:42:04.834Z"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-26T17:42:04.866Z" NotOnOrAfter="2017-06-26T17:42:04.866Z"><saml2:AudienceRestriction><saml2:Audience>http://fs.ultiproworkplace.com/adfs/services/trust</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-26T17:42:04.834Z"><saml2:SubjectLocality Address="http://fs.ultiproworkplace.com/adfs/services/trust"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod" Name="samlAuthenticationStatementAuthMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="LdapAuthenticationHandler.dn" Name="LdapAuthenticationHandler.dn"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">exa...@example.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">2017-06-26T13:42:04.518-04:00[America/New_York]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed" Name="longTermAuthenticationRequestTokenUsed"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>>
The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA.