Possible the date compare with the different timezones is off somehow? - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:51.558Z] while allowed drift is [2018-10-31T11:47:58.925-05:00[America/Chicago]]>
Maybe dev CAS and dev ADFS are same timezone and only prod is different? On Wed, Oct 31, 2018 at 12:06 PM Toby Archer <[email protected]> wrote: > So I've got a mysterious problem. This morning we were going to go live > with our new cas 5 servers, but when I tried to login to them, through > ADFS, my login got redirected five times and landed on an ADFS error page. > The logs looked like this: > > 2018-10-31 11:47:57,680 INFO >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Preparing to redirect to the IdP [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu]> >> 2018-10-31 11:48:08,947 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:51.558Z] while allowed drift is >> [2018-10-31T11:47:58.925-05:00[America/Chicago]]> >> 2018-10-31 11:48:08,948 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:08,948 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,253 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:56.615Z] while allowed drift is >> [2018-10-31T11:47:59.251-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,254 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,254 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,612 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.017Z] while allowed drift is >> [2018-10-31T11:47:59.610-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,612 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,613 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,846 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.264Z] while allowed drift is >> [2018-10-31T11:47:59.844-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,847 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,847 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:10,122 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.532Z] while allowed drift is >> [2018-10-31T11:48:00.121-05:00[America/Chicago]]> >> 2018-10-31 11:48:10,123 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:10,124 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:10,373 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.796Z] while allowed drift is >> [2018-10-31T11:48:00.359-05:00[America/Chicago]]> >> 2018-10-31 11:48:10,373 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:10,374 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> > > I discussed it with the guy who manages our ADFS instance and he asked me > if the dev cas server works. We have no dev instance of ADFS so both dev > and production hit the same ADFS server. Dev worked just fine. Login, hit > ADFS, return, successful login cas page. > > I discussed this further and he sent me the saml for both attempts. > > <saml:AudienceRestrictionCondition> >> <saml:Audience>urn:cas:cas.usd.edu</saml:Audience> >> </saml:AudienceRestrictionCondition> >> </saml:Conditions> >> <saml:AttributeStatement> >> <saml:Subject> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> <saml:Attribute AttributeName="upn" >> AttributeNamespace=" >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >> > >> >> <saml:AttributeValue>the_users_username</saml:AttributeValue> >> </saml:Attribute> >> </saml:AttributeStatement> >> > > > in production and > > <saml:AudienceRestrictionCondition> >> <saml:Audience>urn:cas:test-sso.usd.edu >> </saml:Audience> >> </saml:AudienceRestrictionCondition> >> </saml:Conditions> >> <saml:AttributeStatement> >> <saml:Subject> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> <saml:Attribute AttributeName="upn" >> AttributeNamespace=" >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >> > >> >> <saml:AttributeValue>the_users_username</saml:AttributeValue> >> </saml:Attribute> >> > > In dev(also called test in places). The saml is the same (except for some > bits chopped off when he copied them). The only difference is the audience. > If both dev and prod weren't working this would make sense. But why only > prod? I looked at the git log and blames and the dev and production > configurations are identical except for their name. It feels like CAS gets > the saml back and it doesn't know what to do with it, so it passes the user > back to ADFS, which authenticates them again, sends them back, and round we > go. I'm utterly confused and out of ideas. Anyone have any suggestions? > > ~TA > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYC_97%3DCFYgktphB863EFPFU9pv_y-hy0_hDgt6_bzG-w%40mail.gmail.com.
