CAS 5.0.5 SAML Response - how to adjust NotBefore / NotOnOrAfter

255 views
Skip to first unread message

Song, Doe-Hyun

unread,
Jun 27, 2017, 2:49:51 PM6/27/17
to CAS Community

Hello Cas users,

 

I am struggling to adjust my NotBefore/NotOnOrAfter from SAMLResponse. CAS version is 5.0.5

 

It shows NotBefore and NotOnOrAfter are same.

 

Because of it, our counterpart SP spits the following error.

Exception details:

System.Xml.XmlException: ID4125: An error occurred reading XML data. ---> System.ArgumentException: ID4116: NotBefore must be earlier than NotOnOrAfter.

Parameter name: value

 

 

I tried to manipulate it by changing the following cas.properties. However, I have no luck to change them. Please let me know if you have any good solutions.

cas.samlCore.skewAllowance=60

 

cas.authn.samlIdp.response.skewAllowance=60

cas.authn.samlIdp.response.signError=false

 

2017-06-26 13:42:04,892 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.ResponseImpl]

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_2338965460137167800" IssueInstant="2017-06-26T17:42:04.866Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://cas.example.org/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7035195026768023951" IssueInstant="2017-06-26T17:42:04.856Z" Version="2.0"><saml2:Issuer>https://cas.example.org/idp</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">example</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id-0cf17c5c-aaec-4ac2-bbf0-e5a8aa7ca757" NotOnOrAfter="2017-06-26T17:42:04.834Z"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-26T17:42:04.866Z" NotOnOrAfter="2017-06-26T17:42:04.866Z"><saml2:AudienceRestriction><saml2:Audience>http://fs.ultiproworkplace.com/adfs/services/trust</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-26T17:42:04.834Z"><saml2:SubjectLocality Address="http://fs.ultiproworkplace.com/adfs/services/trust"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod" Name="samlAuthenticationStatementAuthMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="LdapAuthenticationHandler.dn" Name="LdapAuthenticationHandler.dn"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">exa...@example.org</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">2017-06-26T13:42:04.518-04:00[America/New_York]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">LdapAuthenticationHandler</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed" Name="longTermAuthenticationRequestTokenUsed"><saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>>

 

 

 


The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.
Reply all
Reply to author
Forward
0 new messages