I just typed "date" into both the dev cas and prod cas. Both gave the same time. So that doesn't seem to be the case. Unless you have a better suggestion on how to check. Thanks for the suggestion, I hadn't thought of that.
On Wednesday, October 31, 2018 at 2:14:54 PM UTC-5, Travis Schmidt wrote: > > Possible the date compare with the different timezones is off somehow? > > - <Ticket is issued before the allowed drift. Issued on > [2018-10-31T16:47:51.558Z] while allowed drift is > [2018-10-31T11:47:58.925-05:00[America/Chicago]]> > > Maybe dev CAS and dev ADFS are same timezone and only prod is different? > > On Wed, Oct 31, 2018 at 12:06 PM Toby Archer <[email protected] > <javascript:>> wrote: > >> So I've got a mysterious problem. This morning we were going to go live >> with our new cas 5 servers, but when I tried to login to them, through >> ADFS, my login got redirected five times and landed on an ADFS error page. >> The logs looked like this: >> >> 2018-10-31 11:47:57,680 INFO >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Preparing to redirect to the IdP [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu >>> ]> >>> 2018-10-31 11:48:08,947 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:51.558Z] while allowed drift is >>> [2018-10-31T11:47:58.925-05:00[America/Chicago]]> >>> 2018-10-31 11:48:08,948 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:08,948 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> 2018-10-31 11:48:09,253 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:56.615Z] while allowed drift is >>> [2018-10-31T11:47:59.251-05:00[America/Chicago]]> >>> 2018-10-31 11:48:09,254 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:09,254 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> 2018-10-31 11:48:09,612 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:57.017Z] while allowed drift is >>> [2018-10-31T11:47:59.610-05:00[America/Chicago]]> >>> 2018-10-31 11:48:09,612 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:09,613 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> 2018-10-31 11:48:09,846 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:57.264Z] while allowed drift is >>> [2018-10-31T11:47:59.844-05:00[America/Chicago]]> >>> 2018-10-31 11:48:09,847 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:09,847 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> 2018-10-31 11:48:10,122 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:57.532Z] while allowed drift is >>> [2018-10-31T11:48:00.121-05:00[America/Chicago]]> >>> 2018-10-31 11:48:10,123 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:10,124 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> 2018-10-31 11:48:10,373 WARN >>> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >>> >>> - <Ticket is issued before the allowed drift. Issued on >>> [2018-10-31T16:47:57.796Z] while allowed drift is >>> [2018-10-31T11:48:00.359-05:00[America/Chicago]]> >>> 2018-10-31 11:48:10,373 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >>> assertions are blank or no longer valid based on RP identifier [urn:cas: >>> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >>> ]> >>> 2018-10-31 11:48:10,374 WARN >>> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >>> <Created authentication url [ >>> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >>> and returning error> >>> >> >> I discussed it with the guy who manages our ADFS instance and he asked me >> if the dev cas server works. We have no dev instance of ADFS so both dev >> and production hit the same ADFS server. Dev worked just fine. Login, hit >> ADFS, return, successful login cas page. >> >> I discussed this further and he sent me the saml for both attempts. >> >> <saml:AudienceRestrictionCondition> >>> <saml:Audience>urn:cas:cas.usd.edu</saml:Audience> >>> </saml:AudienceRestrictionCondition> >>> </saml:Conditions> >>> <saml:AttributeStatement> >>> <saml:Subject> >>> <saml:SubjectConfirmation> >>> >>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>> </saml:SubjectConfirmation> >>> </saml:Subject> >>> <saml:Attribute AttributeName="upn" >>> AttributeNamespace=" >>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >>> > >>> >>> <saml:AttributeValue>the_users_username</saml:AttributeValue> >>> </saml:Attribute> >>> </saml:AttributeStatement> >>> >> >> >> in production and >> >> <saml:AudienceRestrictionCondition> >>> <saml:Audience>urn:cas:test-sso.usd.edu >>> </saml:Audience> >>> </saml:AudienceRestrictionCondition> >>> </saml:Conditions> >>> <saml:AttributeStatement> >>> <saml:Subject> >>> <saml:SubjectConfirmation> >>> >>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>> </saml:SubjectConfirmation> >>> </saml:Subject> >>> <saml:Attribute AttributeName="upn" >>> AttributeNamespace=" >>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >>> > >>> >>> <saml:AttributeValue>the_users_username</saml:AttributeValue> >>> </saml:Attribute> >>> >> >> In dev(also called test in places). The saml is the same (except for some >> bits chopped off when he copied them). The only difference is the audience. >> If both dev and prod weren't working this would make sense. But why only >> prod? I looked at the git log and blames and the dev and production >> configurations are identical except for their name. It feels like CAS gets >> the saml back and it doesn't know what to do with it, so it passes the user >> back to ADFS, which authenticates them again, sends them back, and round we >> go. I'm utterly confused and out of ideas. Anyone have any suggestions? >> >> ~TA >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63b73334-e0c8-4fe1-8a57-4a1f399e0756%40apereo.org.
