[Shib-Users] Shibboleth sso - Message was rejected due to, issue instant expiration

278 views
Skip to first unread message

Philip Brusten

unread,
Dec 15, 2010, 11:12:04 AM12/15/10
to shibbole...@internet2.edu
Hi,

we've upgraded to Shibboleth IdP 2.1.5.
Since our upgrade we're seeing message expiration messages.

17:00:21.340 - WARN
[org.opensaml.common.binding.security.IssueInstantRule:107] - Message
was expired: message issue time was '2010-06-30T15:21:38.000Z', message
expired at: '2010-07-04T19:21:38.00
0Z', current time: '2010-12-15T17:00:21.340+01:00'
17:00:21.341 - WARN
[edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:225]
- Shibboleth SSO request does not meet security requirements: Message
was rejected due to
issue instant expiration


However, the IdP and SPs we communicate with are synchronised with NTP.

We're also logging the PROTOCOL_MESSAGE logging to see the SAML requests
and responses, both their IssueInstants are correct.

Is there a way to temporarily disable thie security feature?
Where is this coming from?!

Regards,

Philip

Philip Brusten

unread,
Dec 15, 2010, 11:14:11 AM12/15/10
to shibbole...@internet2.edu
Sorry, don't think it matters but its IdP v2.2

Cantor, Scott E.

unread,
Dec 15, 2010, 11:18:32 AM12/15/10
to shibbole...@internet2.edu
> We're also logging the PROTOCOL_MESSAGE logging to see the SAML
> requests and responses, both their IssueInstants are correct.

The one you posted was stale, obvously.

They're most likely bookmarks. I was able to get most of what I needed to deal with this by using a custom error template and checking for the exception message. When I see that particular case, I display my "you're using a bookmark message".

> Is there a way to temporarily disable thie security feature?

Pull the policy rule? The result will be that people will scream later, as soon as you're forced to move your endpoints for some reason. I prefer them to feel the pain immediately and often until they stop bookmarking, and that's been very successful here.

-- Scott

Philip Brusten

unread,
Dec 15, 2010, 11:29:07 AM12/15/10
to shibbole...@internet2.edu
On 15-12-2010 17:18, Cantor, Scott E. wrote:
>> We're also logging the PROTOCOL_MESSAGE logging to see the SAML
>> requests and responses, both their IssueInstants are correct.
> The one you posted was stale, obvously.
>
> They're most likely bookmarks. I was able to get most of what I needed to deal with this by using a custom error template and checking for the exception message. When I see that particular case, I display my "you're using a bookmark message".
>
Is there a logical explination for this?
Anyway I'll make a custom error page that'll catch this error.

>> Is there a way to temporarily disable thie security feature?
> Pull the policy rule? The result will be that people will scream later, as soon as you're forced to move your endpoints for some reason. I prefer them to feel the pain immediately and often until they stop bookmarking, and that's been very successful here.
Thanks for the quick response!

Cantor, Scott E.

unread,
Dec 15, 2010, 11:47:30 AM12/15/10
to shibbole...@internet2.edu
> Is there a logical explination for this?

For bookmarks? Yes, people end up on a page with the request parameters on it, and they bookmark that instead of the actual resource they wanted. With the new IdP, it seems less common because it drops the parameters very quickly, but I'm not running it in production yet, so I'm not as familiar with the cases. With the old IdP, my login form literally had whatever came from the SP on the URL, so it was easy to end up with people bookmarking it.

-- Scott

Reply all
Reply to author
Forward
0 new messages