[SYNCOPE-1794] SAML: Authentication issue instant is too old or in the future - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.5
Fix Version/s: 3.0.6, 4.0.0
Component/s: console, enduser, extensions, sra
Labels:
- SAML

Description

On SAML-based access to Console and Enduser, it might happen that the error "Session expired: please log in again" is displayed, after successful round-trip to the configured IdP.

After investigation, the reason seems to be that some IdP is re-using information that the user has authenticated earlier (reporting that via the authnInstant in the SAML response).
By default, pac4j (the underlying library on which SAML-based access to Console and Enduser is implemented) will prevent users from login if the authentication instant is older than 1 hour (3600 seconds).

Attachments

Issue Links

links to

GitHub Pull Request #576

Activity

People

Assignee:: Francesco Chicchiriccò

Reporter:: Francesco Chicchiriccò

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Dec/23 08:44

Updated:: 21/Dec/23 15:34

Resolved:: 14/Dec/23 13:55