Hi Filipe, Unfortunately I did not find a good solution, the two options I have found are to keep increasing the cas.authn.pac4j.saml[0].maximum-authentication-lifetime setting or to set below which will force a login each time someone access a service via CAS:
cas.authn.pac4j.saml[0].force-auth: true Regards Sean On Tuesday, 5 July 2022 at 11:50:30 UTC+1 [email protected] wrote: > Hello Sean, > > Have you found something else? > I'm facing this problem as well. > The Azure AccessTokenLifetime is set to 90 days (+/- 5 minutes) and my > maximumAuthenticationLifetime is set to 7776000. However, 90 days after I > set that property, some users are not able to login using CAS. > How did you solved it? > > Best Regards, > Filipe > > A quarta-feira, 25 de novembro de 2020 à(s) 20:20:22 UTC, Sean Day > escreveu: > >> Hi Ray, >> >> Thanks for the quick response, I have got the users to check the time on >> their PC plus I have checked the CAS server and all seem to be in sync. >> Also, the users have noticed that if they use a different browser they can >> login, I have had users switch from Chrome to Firefox on the same PC and >> they can login. >> >> I have tried getting them to clear their browser cache but they still >> experience the same issue. >> >> I have found some similar issues with Azure AD and pac4j here: >> https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4 where the user set >> the max auth lifetime really high but again was advised this is not a good >> idea. I will keep investigating.. >> >> Thanks >> >> Sean >> >> On Wednesday, 25 November 2020 at 18:37:43 UTC Ray Bon wrote: >> >>> Sean, >>> >>> This looks like your clock is incorrect. >>> Use a tool like samltracer to see what is being passed. >>> >>> You do not want to have large lifetime windows on authentication >>> responses, to limit replay attacks. >>> >>> Ray >>> >>> On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> >>> Hi, >>> >>> I have CAS 6.2 configured to authenticate against Azure AD, I have some >>> users that are getting an error: >>> >>> org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication >>> issue instant is too old or in the future >>> >>> It seems to be browser/PC dependent, if they try a different PC it is >>> OK, the assertion seems to be very old in some cases (months old). It only >>> seems to affect CAS based SAML logins though, authenticating against Azure >>> AD directly for O365 for example works as expected. >>> >>> I know I can workaround this by increasing the setting but does anyone >>> know why I would need to (I already have it set for about 3 months and need >>> to increase it further and I am guessing would have to do this again in the >>> future if I cannot find the cause. >>> >>> Thanks >>> >>> Sean >>> >>> -- >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >>> >>> I respectfully acknowledge that my place of work is located within the >>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >>> WSÁNEĆ Nations. >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d3514c66-15e4-4507-95b3-77317e497cd1n%40apereo.org.
