search

chrodriguez / redmine_omniauth_saml

Plugins that adds SAML authentication support for "Redmine"
GNU General Public License v2.0
38 stars 57 forks source link

Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition #46

Open varenius opened 4 years ago

varenius commented 4 years ago

Hello, I am trying to configure Redmine to use this plugin with my university login service. 

Environment:
  Redmine version                4.0.5.stable
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
  Rails version                  5.2.3

I go to my redmine login page, then click the link to login wih SAML, get to the University server and provide my details, and press enter. Then I get the message "Invalid saml_ticket". Looking in "/var/log/apache2/error.log" I see the following lines appear:

App 24371 stdout: I, [2020-01-26T10:39:22.407507 #24371]  INFO -- omniauth: (saml) Request phase initiated.
App 24371 stdout: I, [2020-01-26T10:39:22.511633 #24371]  INFO -- omniauth: (saml) Callback phase initiated.
App 24371 stdout: E, [2020-01-26T10:39:22.523927 #24371] ERROR -- omniauth: (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition

So, google to the rescue... According to "https://github.com/onelogin/ruby-saml#clock-drift" there is an option

To allow for a small amount of clock drift, you can initialize the response by passing in an option named :allowed_clock_drift.

I have tried to login many times, and some times I don't get this error, so I think the allowed time is just a bit too small. I would like to increase it to avoid this error. An example is given at the page, but I don't see how I can apply this to the redmine_omniauth_saml plugin. Could you please advise? Kind regards Eskil

varenius commented 4 years ago

This happened again, so trying to track this backwards to figure out where to add the allowed_clock:drift parameter to make it work.

Error seems raised by line 219 in vendor/bundle/ruby/2.5.0/gems/ruby-saml-0.9.4/lib/onelogin/ruby-saml/response.rb : 

        if not_before && (now + (options[:allowed_clock_drift] || 0)) < not_before

For now, I'll just hack this temporarily to make it work, i.e. replace this line with

        if not_before && (now + 1.second + (options[:allowed_clock_drift] || 0)) < not_before

This is definitely not the proper place to add this, but it seems to work for now.