Hello, We are working on deploying CAS 4.1.1 to production and were trying to get google apps for education SSO to work. Unfortunately I get a "Google Apps - This service cannot be accessed because your login credentials have expired. Please log in and try again." Error from google. Looking around it seemed to be an issue with clocks set on servers, but I have confirmed the clock and ntp is configured correctly on the server.
Looking at the saml response I noticed "NotOnOrAfter="2015-11-09T09:59:14.000Z"" is set to the current time. Which if I understand correctly means by the time it makes it to google a second has passed and the credentials have expired. We have CAS 3.5.x in production and working and looking at the saml response from it "NotOnOrAfter="2016-11-09T10:03:00Z"" the date is set to 1 year ahead so the credentials don't expire by the time it makes it to google's servers. (The date I was able to confirm both of these behavious in code: 4.1.x: https://github.com/Jasig/cas/blob/master/cas-server-support-saml-googleapps/src/main/java/org/jasig/cas/support/saml/authentication/principal/GoogleAccountsServiceResponseBuilder.java#L97 3.5.x: https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java#L178 Looking at the forums it seems appears the above configuration is working for people, although I don't see how it would if NotOnOrAfter is set to a time 1 second is the past. Am I missing something here? Any guidance will be highly appreciated. Thanks, --- Abhijit Gaikwad Applications Programmer | agaik...@fit.edu<mailto:agaik...@fit.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
