SAML authentication fails when the clocks on the client system and the BPM runtime are not in sync.
Article ID: KB0094071
Updated On:
| Products | Versions |
|---|---|
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | - |
| Not Applicable | - |
Description
Description:
When a SAML assertion contains conditions limiting the validity period of the request, the authentication fails due to the unexpected expiry of the the assertion when the clocks on the client system and BPM runtime are not in sync.
Error would look like the following.
04 Jan 2016 15:59:15,147 [httpConnector_28 - /amxbpm/EntityResolverService] [DEBUG] org.apache.xml.security.utils.DigesterOutputStream - <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="764BBEDA-1936-48B0-AF97-D7E2BBE88EB1" IssueInstant="2016-01-04T14:59:15.156Z" Version="2.0"><saml2:Issuer>BS</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"></saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-01-04T14:59:15.156Z" NotOnOrAfter="2016-01-04T15:19:15.156Z"></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-01-04T14:59:15.156Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
Symptoms:
The SAML authentication fails irrespective of the correct credentials.
Cause:
The clocks between the client system and BPM runtime are not in sync.
When a SAML assertion contains conditions limiting the validity period of the request, the authentication fails due to the unexpected expiry of the the assertion when the clocks on the client system and BPM runtime are not in sync.
Error would look like the following.
04 Jan 2016 15:59:15,147 [httpConnector_28 - /amxbpm/EntityResolverService] [DEBUG] org.apache.xml.security.utils.DigesterOutputStream - <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="764BBEDA-1936-48B0-AF97-D7E2BBE88EB1" IssueInstant="2016-01-04T14:59:15.156Z" Version="2.0"><saml2:Issuer>BS</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"></saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-01-04T14:59:15.156Z" NotOnOrAfter="2016-01-04T15:19:15.156Z"></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-01-04T14:59:15.156Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
Symptoms:
The SAML authentication fails irrespective of the correct credentials.
Cause:
The clocks between the client system and BPM runtime are not in sync.
Issue/Introduction
SAML authentication fails when the clocks on the client system and the BPM runtime are not in sync.
Resolution
The timestamp parameter in the SAML request can be adjusted based on the clock delta between the client system and BPM runtime, which would lower the occurrence of the authentication failure due to time constraint condition.
Additional Information
https://docs.tibco.com/pub/amx-bpm/3.1.0/doc/html/bpmhelp/GUID-3DC56404-2FC4-4F05-A826-2AB052B5A7A5.html#GUID-3DC56404-2FC4-4F05-A826-2AB052B5A7A5
Feedback
Yes
No
Powered by
