[cisco-voip] [External] Error Processing SAML Response
Jonathan Charles
jonvoip at gmail.com
Fri Sep 17 18:21:53 EDT 2021
So, it looks like we were sending our auth requests to an F5 which was
sending the requests to two ADFS 2.0 servers... when they hit server 01,
everything was fine... when they hit server 2, they would error out about
30% of the time (hence the infrequency)... we rebooted server 2 and so far
all connections to server 2 are succeeding (not erroring out via SAML.. )...
We are monitoring but this appears to be just Windows being Windows.
Jonathan
On Fri, Sep 17, 2021 at 4:53 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
> Keep us updated on the outcome. This is a good learning experience for all
> of us.
>
> Sent from my iPhone
>
> On Sep 17, 2021, at 3:18 PM, Jonathan Charles <jonvoip at gmail.com> wrote:
>
>
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp at uoguelph.ca
>
> Thanks, let me try it...
>
> On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski <ajp26 at buffalo.edu> wrote:
>
>> Ask whoever runs the IDP to add a skew or offset to the relationship that
>> you’re using.
>>
>>
>>
>> It is not feasible for the things to be exactly in sync to high precision
>> at all times, and this comes up using timing from VMWare, mixed sources etc.
>>
>>
>>
>> With ADFS the property is NotBeforeSkew, which you can give a minute or
>> whatever you’re comfortable with, which should alleviate this issue.
>>
>>
>>
>> Best,
>>
>>
>>
>> Adam Pawlowski
>>
>>
>>
>>
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>> Charles
>> *Sent:* Friday, September 17, 2021 9:00 AM
>> *To:* Kent Roberts <kent at fredf.org>
>> *Cc:* cisco-voip at puck.nether.net
>> *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response
>>
>>
>>
>> The error message in the Cisco traces (SSO) is:
>>
>>
>>
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44
>> UTC 2021 *- this time is 17:07:44 CDT*
>>
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44
>> UTC 2021 *- this time is 16:07:44 CDT*
>>
>>
>>
>> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
>> authentication.SAMLAuthenticator - Error while processing saml response The
>> time in the Assertion's Condition is invalid.
>> com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's
>> Condition is invalid.
>>
>>
>>
>> Basically what appears to be occurring is we get a NotBefore of 1 second
>> after our request came in (16:07:43) and it gets killed....
>>
>>
>>
>> The real question is what they need to do on the ADFS side to fix this...
>> why are they sending us a time in the future? The argument is NTP is off by
>> one second for one of the servers (all of them show synched)...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts <kent at fredf.org> wrote:
>>
>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
>> as knowing is this new or did it work. Seems similar to what I have seen
>> in UCCE with the packet stuff not signed or wrong encryption type… course
>> thats UCCE vs CUCM, but usually cucm just works…
>>
>>
>>
>>
>>
>> On Sep 16, 2021, at 6:45 PM, Johnson, Tim <johns10t at cmich.edu> wrote:
>>
>>
>>
>> Nah, looks like he said logging into CCM Admin pages, with AD accounts,
>> so all areas of the web UI (I believe). The NTP errors that I’ve seen are
>> presented as SAML assertion errors.
>>
>>
>>
>> I’m curious if this is a new SSO config, or if it was working properly
>> and something’s changed.
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Kent
>> Roberts
>> *Sent:* Thursday, September 16, 2021 8:37 PM
>> *To:* Matthew Loraditch <MLoraditch at heliontechnologies.com>
>> *Cc:* cisco-voip at puck.nether.net
>> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>>
>>
>>
>> Remember he said it also was happening on the CUCM Admin account which
>> has nothing to do with SSO/SAML. So means its most likely internal to
>> cucm...
>>
>>
>>
>> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
>> MLoraditch at heliontechnologies.com> wrote:
>>
>>
>>
>> The logs are pretty clear when its a time difference as the error. I’ve
>> not seen it randomly occur but definitely the error will be it’s time and
>> may even show the difference.
>>
>>
>>
>> Its the 4j log file for sso I believe
>>
>>
>>
>> Get Outlook for iOS
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D&reserved=0>
>>
>>
>>
>> *Matthew Loraditch***
>>
>> *Sr. Network Engineer*
>>
>> *(He/Him/His)*
>>
>> p: *443.541.1518* <443.541.1518>
>>
>> w: *www.heliontechnologies.com*
>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D&reserved=0>
>>
>> |
>>
>> e: *MLoraditch at heliontechnologies.com*
>> <MLoraditch at heliontechnologies.com>
>>
>> <image657209.png>
>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=CdLKOTY3ZcCR9womF6wlOY6Im8RHC9Na6NkKQvLKjnk%3D&reserved=0>
>>
>> <image487691.png>
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fatJj8XLG3VtCaEsjQ1W63TsC3bg%2BqxK0Y%2FoSis459A%3D&reserved=0>
>>
>> <image529913.png>
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441808197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WkZXjBTTiA6DJ0wsUiPqQ3NEE3Q%2FPnv56rQ4t7UzmX4%3D&reserved=0>
>>
>> <image776611.png>
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fhelion-technologies&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bfoWXKNlvRYyT1LghENvfegHTWdy3e26GZm4H0wW2Bo%3D&reserved=0>
>> ------------------------------
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>> Lelio Fulgenzi <lelio at uoguelph.ca>
>> *Sent:* Thursday, September 16, 2021 4:32:12 PM
>> *To:* Jonathan Charles <jonvoip at gmail.com>; Benjamin Turner <
>> benmturner at hotmail.com>
>> *Cc:* cisco-voip at puck.nether.net <cisco-voip at puck.nether.net>
>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>
>>
>>
>>
>>
>> [EXTERNAL]
>>
>>
>>
>>
>>
>> Have you been able to confirm the time difference?
>>
>>
>>
>> I’m not trying to take their side of things, but if it’s minutes off, I
>> wouldn’t doubt that’s possible. SSO is highly secure, right? A time
>> difference might be enough to throw it off?
>>
>>
>>
>> Here’s reference:
>>
>>
>>
>>
>> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.pingidentity.com%2Fs%2Farticle%2FAccounting-for-Time-Drift-Between-SAML-Endpoints50907&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y0eG9Ol%2Bk%2FORNNl1SayhCejzMfOSzJqldNLDpathMuI%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>> Charles
>> *Sent:* Thursday, September 16, 2021 6:23 PM
>> *To:* Benjamin Turner <benmturner at hotmail.com>
>> *Cc:* cisco-voip at puck.nether.net
>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>
>>
>>
>> *CAUTION:* This email originated from outside of the University of
>> Guelph. Do not click links or open attachments unless you recognize the
>> sender and know the content is safe. If in doubt, forward suspicious emails
>> to IThelp at uoguelph.ca
>>
>>
>>
>> No... TBH, I have never heard of it...
>>
>>
>>
>> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC
>> and ADFS...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner at hotmail.com>
>> wrote:
>>
>> Have you tried to run a SAML Tracer?
>>
>>
>>
>> Sincerely,
>> Benjamin M. Turner
>> ------------------------------
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>> Jonathan Charles <jonvoip at gmail.com>
>> *Sent:* Thursday, September 16, 2021 4:56:48 PM
>> *To:* cisco-voip at puck.nether.net <cisco-voip at puck.nether.net>
>> *Subject:* [cisco-voip] Error Processing SAML Response
>>
>>
>>
>> So, users are randomly getting the above error when logging into CUCM
>> UCMUser or CUC Inbox... we are also getting it using AD credentials into
>> admin pages for CUCM/CUC/etc.
>>
>>
>>
>> For a user, it will work find repeatedly, then you will get the error,
>> close your browser, and reopen, still get the error for a few minutes. Then
>> later it will work. When a user is affected, other users work fine.
>>
>>
>>
>> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP
>> (ADFS 2.0) is fine.
>>
>>
>>
>> Pings are around 1ms between servers.
>>
>>
>>
>> Any ideas?
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441828188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fuo8Su5KRFqH66Rs6dvG3sr9oMn9WfO22Zea71mBssc%3D&reserved=0>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441838182%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mco%2B8WqxUFyYE0I2abCKnh2WJL8iT7QV29j4%2Bg0Doos%3D&reserved=0>
>>
>> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20210917/b56a03a1/attachment.htm>
More information about the cisco-voip
mailing list