Hello Sean, Have you found something else? I'm facing this problem as well. The Azure AccessTokenLifetime is set to 90 days (+/- 5 minutes) and my maximumAuthenticationLifetime is set to 7776000. However, 90 days after I set that property, some users are not able to login using CAS. How did you solved it?
Best Regards, Filipe A quarta-feira, 25 de novembro de 2020 à(s) 20:20:22 UTC, Sean Day escreveu: > Hi Ray, > > Thanks for the quick response, I have got the users to check the time on > their PC plus I have checked the CAS server and all seem to be in sync. > Also, the users have noticed that if they use a different browser they can > login, I have had users switch from Chrome to Firefox on the same PC and > they can login. > > I have tried getting them to clear their browser cache but they still > experience the same issue. > > I have found some similar issues with Azure AD and pac4j here: > https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4 where the user set > the max auth lifetime really high but again was advised this is not a good > idea. I will keep investigating.. > > Thanks > > Sean > > On Wednesday, 25 November 2020 at 18:37:43 UTC Ray Bon wrote: > >> Sean, >> >> This looks like your clock is incorrect. >> Use a tool like samltracer to see what is being passed. >> >> You do not want to have large lifetime windows on authentication >> responses, to limit replay attacks. >> >> Ray >> >> On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> Hi, >> >> I have CAS 6.2 configured to authenticate against Azure AD, I have some >> users that are getting an error: >> >> org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue >> instant is too old or in the future >> >> It seems to be browser/PC dependent, if they try a different PC it is OK, >> the assertion seems to be very old in some cases (months old). It only >> seems to affect CAS based SAML logins though, authenticating against Azure >> AD directly for O365 for example works as expected. >> >> I know I can workaround this by increasing the setting but does anyone >> know why I would need to (I already have it set for about 3 months and need >> to increase it further and I am guessing would have to do this again in the >> future if I cannot find the cause. >> >> Thanks >> >> Sean >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae485c73-abb5-49c2-8a4d-6ee4575b0ff5n%40apereo.org.
