search

a-langer / nexus-sso

Single Sign-On patch for Nexus OSS
Eclipse Public License 1.0
72 stars 17 forks source link

Current assertion validation failed 3.70.0 #33

Open n3gativ3 opened 2 weeks ago

n3gativ3 commented 2 weeks ago

After upgrade to 3.70.0 have error with assertion 2024-10-31 07:56:18,563+0000 WARN [qtp1655628133-1428] UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - interval=3600,before=2024-10-31T08:01:18.563102Z,after=2024-10-31T06:51:18.563102Z,issueInstant=2024-10-31T06:44:57Z 2024-10-31 07:56:18,563+0000 ERROR [qtp1655628133-1428] UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future

time synced on nexus host/keycloak issueInstant always different 2024-10-31 06:44:39,930+0000 WARN [qtp1655628133-1362] UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - interval=3600,before=2024-10-31T06:49:39.930659Z,after=2024-10-31T05:39:39.930659Z,issueInstant=2024-10-30T18:21:56Z 2024-10-31 06:44:39,931+0000 ERROR [qtp1655628133-1362] UNKNOWN org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator - Current assertion validation failed, continue with the next one org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future

what that can be TZ set to UTC

a-langer commented 2 weeks ago

Hi, see https://github.com/a-langer/nexus-sso/issues/15#issuecomment-1770673453.

n3gativ3 commented 2 weeks ago

Still get error try different configuration for PAC4J_AUTHENTICATION_LIFETIME="21600" 7200 and more also #11 forceAuth didnt help

From incognito window all works fine, when back to default got error also when press check login from SP side all works

a-langer commented 2 weeks ago

From incognito window all works fine

This means that you have invalid cookies left in your browser from the first time you received the "Authentication issue instant is too old" error. You need to delete cookies for the IdP server domain. This can be done via the Keycloak Web interface (Sign out) or via the developer tools in the browser (F12). Please note that you need to delete the cookies for the IdP (Keycloak) domain name, not Nexus (you can delete that too if you wish).

This is partly described in SAML.md#debug:

It is better to perform each check in a new private browser window (or delete cookies for Nexus and IdP sites, which is quite difficult), otherwise the browser may remember invalid cookies and will not go to the login page, which in turn confuses and complicates diagnostics.