500 Internal Server Error on SSO login (Force re-authenticate)

[bilalbokharee]

I am using Okta SSO for login. The configuration for timeout on the side of Okta is 45min of inactivity(and this cannot be changed from admin side). I have defined 45min (2700) as the value for saml2Config.maximumAuthenticationLifetime in shiro.ini. With these configurations, I still get Internal Server Error 500 on UI (after the time has passed) and the following error in nexus.log.

2023-08-29 12:22:38,866+0000 ERROR [qtp84619637-109] *UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future

[bilalbokharee]

Complete log file after server restart to error is attached. nexus.log

[a-langer]

In the discussion https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4/m/p8aBExSzBQAJ suggests that in the IDP server may be set to a floating value for the session lifetime, in which case you can try to enable forced authorization https://github.com/pac4j/pac4j/blob/master/documentation/docs/clients/saml.md#3-additional-configuration:

# Add to shiro.ini
saml2Config.forceAuth = true
saml2Config.passive = true

In any case, this is not a patch bug, but incorrect settings (see recommendation https://github.com/a-langer/nexus-sso/issues/10).

[bilalbokharee]

Adding this config to shiro.ini to forcefully have the user authenticate everytime the session expires works for me so far! Closing the issue.