[cisco-voip] [External] Error Processing SAML Response

Mon Sep 20 14:40:48 EDT 2021

You know the rule, reboot three times.

On Fri, Sep 17, 2021 at 6:13 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

>
> Hey, that’s great news! A reboot for a solution is inevitable possibility.
>
> Sent from my iPhone
>
> On Sep 17, 2021, at 6:22 PM, Jonathan Charles <jonvoip at gmail.com> wrote:
>
> 
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp at uoguelph.ca
>
> So, it looks like we were sending our auth requests to an F5 which was
> sending the requests to two ADFS 2.0 servers... when they hit server 01,
> everything was fine... when they hit server 2, they would error out about
> 30% of the time (hence the infrequency)... we rebooted server 2 and so far
> all connections to server 2 are succeeding (not erroring out via SAML..
> )...
>
> We are monitoring but this appears to be just Windows being Windows.
>
>
> Jonathan
>
> On Fri, Sep 17, 2021 at 4:53 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>> Keep us updated on the outcome. This is a good learning experience for
>> all of us.
>>
>> Sent from my iPhone
>>
>> On Sep 17, 2021, at 3:18 PM, Jonathan Charles <jonvoip at gmail.com> wrote:
>>
>> 
>>
>> CAUTION: This email originated from outside of the University of Guelph.
>> Do not click links or open attachments unless you recognize the sender and
>> know the content is safe. If in doubt, forward suspicious emails to
>> IThelp at uoguelph.ca
>>
>> Thanks, let me try it...
>>
>> On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski <ajp26 at buffalo.edu>
>> wrote:
>>
>>> Ask whoever runs the IDP to add a skew or offset to the relationship
>>> that you’re using.
>>>
>>>
>>>
>>> It is not feasible for the things to be exactly in sync to high
>>> precision at all times, and this comes up using timing from VMWare, mixed
>>> sources etc.
>>>
>>>
>>>
>>> With ADFS the property is NotBeforeSkew, which you can give a minute or
>>> whatever you’re comfortable with, which should alleviate this issue.
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Adam Pawlowski
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>>> Charles
>>> *Sent:* Friday, September 17, 2021 9:00 AM
>>> *To:* Kent Roberts <kent at fredf.org>
>>> *Cc:* cisco-voip at puck.nether.net
>>> *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response
>>>
>>>
>>>
>>> The error message in the Cisco traces (SSO) is:
>>>
>>>
>>>
>>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>>> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15
>>> 22:07:44 UTC 2021   *-  this time is 17:07:44 CDT*
>>>
>>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>>> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44
>>> UTC 2021      *-  this time is 16:07:44 CDT*
>>>
>>>
>>>
>>> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
>>> authentication.SAMLAuthenticator - Error while processing saml response The
>>> time in the Assertion's Condition is invalid.
>>> com.sun.identity.saml2.common.SAML2Exception: The time in the
>>> Assertion's Condition is invalid.
>>>
>>>
>>>
>>> Basically what appears to be occurring is we get a NotBefore of 1 second
>>> after our request came in (16:07:43) and it gets killed....
>>>
>>>
>>>
>>> The real question is what they need to do on the ADFS side to fix
>>> this... why are they sending us a time in the future? The argument is NTP
>>> is off by one second for one of the servers (all of them show synched)...
>>>
>>>
>>>
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts <kent at fredf.org> wrote:
>>>
>>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
>>> as knowing is this new or did it work.   Seems similar to what I have seen
>>> in UCCE with the packet stuff not signed or wrong encryption type… course
>>> thats UCCE vs CUCM,  but usually cucm just works…
>>>
>>>
>>>
>>>
>>>
>>> On Sep 16, 2021, at 6:45 PM, Johnson, Tim <johns10t at cmich.edu> wrote:
>>>
>>>
>>>
>>> Nah, looks like he said logging into CCM Admin pages, with AD accounts,
>>> so all areas of the web UI (I believe). The NTP errors that I’ve seen are
>>> presented as SAML assertion errors.
>>>
>>>
>>>
>>> I’m curious if this is a new SSO config, or if it was working properly
>>> and something’s changed.
>>>
>>>
>>>
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Kent
>>> Roberts
>>> *Sent:* Thursday, September 16, 2021 8:37 PM
>>> *To:* Matthew Loraditch <MLoraditch at heliontechnologies.com>
>>> *Cc:* cisco-voip at puck.nether.net
>>> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>>>
>>>
>>>
>>> Remember he said it also was happening on the CUCM Admin account which
>>> has nothing to do with SSO/SAML.   So means its most likely internal to
>>> cucm...
>>>
>>>
>>>
>>> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
>>> MLoraditch at heliontechnologies.com> wrote:
>>>
>>>
>>>
>>> The logs are pretty clear when its a time difference as the error. I’ve
>>> not seen it randomly occur but definitely the error will be it’s time and
>>> may even show the difference.
>>>
>>>
>>>
>>> Its the 4j log file for sso I believe
>>>
>>>
>>>
>>> Get Outlook for iOS
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D&reserved=0>
>>>
>>>
>>>
>>> *Matthew Loraditch***
>>>
>>> *Sr. Network Engineer*
>>>
>>> *(He/Him/His)*
>>>
>>> p: *443.541.1518* <443.541.1518>
>>>
>>> w: *www.heliontechnologies.com*
>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D&reserved=0>
>>>
>>>  |
>>>
>>> e: *MLoraditch at heliontechnologies.com*
>>> <MLoraditch at heliontechnologies.com>
>>>
>>> <image657209.png>
>>> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=CdLKOTY3ZcCR9womF6wlOY6Im8RHC9Na6NkKQvLKjnk%3D&reserved=0>
>>>
>>> <image487691.png>
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fatJj8XLG3VtCaEsjQ1W63TsC3bg%2BqxK0Y%2FoSis459A%3D&reserved=0>
>>>
>>> <image529913.png>
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441808197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WkZXjBTTiA6DJ0wsUiPqQ3NEE3Q%2FPnv56rQ4t7UzmX4%3D&reserved=0>
>>>
>>> <image776611.png>
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fhelion-technologies&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bfoWXKNlvRYyT1LghENvfegHTWdy3e26GZm4H0wW2Bo%3D&reserved=0>
>>> ------------------------------
>>>
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>>> Lelio Fulgenzi <lelio at uoguelph.ca>
>>> *Sent:* Thursday, September 16, 2021 4:32:12 PM
>>> *To:* Jonathan Charles <jonvoip at gmail.com>; Benjamin Turner <
>>> benmturner at hotmail.com>
>>> *Cc:* cisco-voip at puck.nether.net <cisco-voip at puck.nether.net>
>>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>>
>>>
>>>
>>>
>>>
>>> [EXTERNAL]
>>>
>>>
>>>
>>>
>>>
>>> Have you been able to confirm the time difference?
>>>
>>>
>>>
>>> I’m not trying to take their side of things, but if it’s minutes off, I
>>> wouldn’t doubt that’s possible. SSO is highly secure, right? A time
>>> difference might be enough to throw it off?
>>>
>>>
>>>
>>> Here’s  reference:
>>>
>>>
>>>
>>>
>>> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.pingidentity.com%2Fs%2Farticle%2FAccounting-for-Time-Drift-Between-SAML-Endpoints50907&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y0eG9Ol%2Bk%2FORNNl1SayhCejzMfOSzJqldNLDpathMuI%3D&reserved=0>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>>> Charles
>>> *Sent:* Thursday, September 16, 2021 6:23 PM
>>> *To:* Benjamin Turner <benmturner at hotmail.com>
>>> *Cc:* cisco-voip at puck.nether.net
>>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>>
>>>
>>>
>>> *CAUTION:* This email originated from outside of the University of
>>> Guelph. Do not click links or open attachments unless you recognize the
>>> sender and know the content is safe. If in doubt, forward suspicious emails
>>> to IThelp at uoguelph.ca
>>>
>>>
>>>
>>> No... TBH, I have never heard of it...
>>>
>>>
>>>
>>> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC
>>> and ADFS...
>>>
>>>
>>>
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmturner at hotmail.com>
>>> wrote:
>>>
>>> Have you tried to run a SAML Tracer?
>>>
>>>
>>>
>>> Sincerely,
>>> Benjamin M. Turner
>>> ------------------------------
>>>
>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
>>> Jonathan Charles <jonvoip at gmail.com>
>>> *Sent:* Thursday, September 16, 2021 4:56:48 PM
>>> *To:* cisco-voip at puck.nether.net <cisco-voip at puck.nether.net>
>>> *Subject:* [cisco-voip] Error Processing SAML Response
>>>
>>>
>>>
>>> So, users are randomly getting the above error when logging into CUCM
>>> UCMUser or CUC Inbox... we are also getting it using AD credentials into
>>> admin pages for CUCM/CUC/etc.
>>>
>>>
>>>
>>> For a user, it will work find repeatedly, then you will get the error,
>>> close your browser, and reopen, still get the error for a few minutes. Then
>>> later it will work. When a user is affected, other users work fine.
>>>
>>>
>>>
>>> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP
>>> (ADFS 2.0) is fine.
>>>
>>>
>>>
>>> Pings are around 1ms between servers.
>>>
>>>
>>>
>>> Any ideas?
>>>
>>>
>>>
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441828188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fuo8Su5KRFqH66Rs6dvG3sr9oMn9WfO22Zea71mBssc%3D&reserved=0>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441838182%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mco%2B8WqxUFyYE0I2abCKnh2WJL8iT7QV29j4%2Bg0Doos%3D&reserved=0>
>>>
>>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20210920/671e69e5/attachment.htm>