Hi Ray, Thanks for the quick response, I have got the users to check the time on their PC plus I have checked the CAS server and all seem to be in sync. Also, the users have noticed that if they use a different browser they can login, I have had users switch from Chrome to Firefox on the same PC and they can login.
I have tried getting them to clear their browser cache but they still experience the same issue. I have found some similar issues with Azure AD and pac4j here: https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4 where the user set the max auth lifetime really high but again was advised this is not a good idea. I will keep investigating.. Thanks Sean On Wednesday, 25 November 2020 at 18:37:43 UTC Ray Bon wrote: > Sean, > > This looks like your clock is incorrect. > Use a tool like samltracer to see what is being passed. > > You do not want to have large lifetime windows on authentication > responses, to limit replay attacks. > > Ray > > On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > I have CAS 6.2 configured to authenticate against Azure AD, I have some > users that are getting an error: > > org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue > instant is too old or in the future > > It seems to be browser/PC dependent, if they try a different PC it is OK, > the assertion seems to be very old in some cases (months old). It only > seems to affect CAS based SAML logins though, authenticating against Azure > AD directly for O365 for example works as expected. > > I know I can workaround this by increasing the setting but does anyone > know why I would need to (I already have it set for about 3 months and need > to increase it further and I am guessing would have to do this again in the > future if I cannot find the cause. > > Thanks > > Sean > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ecc3f249-1f2b-4d7e-b12d-d0b8795b4269n%40apereo.org.
