Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54275

(Google Apps/SAML) org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • saml-plugin
    • None
    • saml-1.1.1

      When SAML plugin 1.1.0 is configured with defaults against Google Apps SAML provider, the HTTP POST to finishLogin constantly loops back to Google SSO page.

       

      (Note: in browser Incognito mode works reliably every-time)

      (Note: it does appear to work occasionally in non-Incognito/private mode also)

       

      Request URL: https://jenkins.foobar.com/securityRealm/finishLogin
      Request Method: POST
      Status Code: 403 Forbidden
      X-Hudson: 1.395
      X-Jenkins: 2.138.2
      Server: Jetty(9.4.z-SNAPSHOT)
      Date: Fri, 26 Oct 2018 16:31:01 GMT
      ...
      
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jenkins.foobar.com/securityRealm/finishLogin" ID="_8eefe9116d412f94226b8cad29172692" InResponseTo="_3dcey6sdrmsz1wxyccpfbzoa6q1wfep79znpfmc" IssueInstant="2018-10-26T16:31:01.336Z" Version="2.0">
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C03nydxon</saml2:Issuer>
        <saml2p:Status>
          <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </saml2p:Status>
        <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f8b582ffe24652818c06f5d155527bb5" IssueInstant="2018-10-26T16:31:01.336Z" Version="2.0">
          <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C03nydxon</saml2:Issuer>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
              <ds:Reference URI="#_f8b582ffe24652818c06f5d155527bb5">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>vvX/gtRrRI9QnvDAKZSKUERiApsdxBgzeK9/dEaQNAM=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>ITh99...==</ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
                <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                <ds:X509Certificate>MIIDd...</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
          <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abelodedenko@thrivepos.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <saml2:SubjectConfirmationData InResponseTo="_3dcey6sdrmsz1wxyccpfbzoa6q1wfep79znpfmc" NotOnOrAfter="2018-10-26T16:36:01.336Z" Recipient="https://jenkins.foobar.com/securityRealm/finishLogin"/>
            </saml2:SubjectConfirmation>
          </saml2:Subject>
          <saml2:Conditions NotBefore="2018-10-26T16:26:01.336Z" NotOnOrAfter="2018-10-26T16:36:01.336Z">
            <saml2:AudienceRestriction>
              <saml2:Audience>https://jenkins.foobar.com/securityRealm/finishLogin</saml2:Audience>
            </saml2:AudienceRestriction>
          </saml2:Conditions>
          <saml2:AttributeStatement>
            <saml2:Attribute Name="firstName">
              <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Anton</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="lastName">
              <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Belodedenko</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="emailAddress">
              <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">abelodedenko@thrivepos.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="role">
              <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">admins</saml2:AttributeValue>
            </saml2:Attribute>
          </saml2:AttributeStatement>
          <saml2:AuthnStatement AuthnInstant="2018-10-24T19:16:48.000Z" SessionIndex="_f8b582ffe24652818c06f5d155527bb5">
            <saml2:AuthnContext>
              <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
          </saml2:AuthnStatement>
        </saml2:Assertion>
      </saml2p:Response>

       

      In the Jenkins log, we see this for every attempt:

      /var/log/jenkins/jenkins.log:
      
      Oct 26, 2018 4:31:02 PM org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator validateSamlSSOResponse
      SEVERE: Current assertion validation failed, continue with the next one
      org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old
       or in the future
              at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAuthenticationStatements(SAML2DefaultResponseValidator.java:620)
      ... 

       

      Note above AuthnInstant is in the past:

      <saml2:AuthnStatement AuthnInstant="2018-10-24T19:16:48.000Z" SessionIndex="_f8b582ffe24652818c06f5d155527bb5"> <saml2:AuthnContext> 

       

       

       

        1. image-2018-10-29-09-36-55-317.png
          49 kB
          Anton Belodedenko
        2. image-2018-10-29-09-38-04-170.png
          49 kB
          Anton Belodedenko

            ifernandezcalvo Ivan Fernandez Calvo
            belodetek Anton Belodedenko
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: