Possible the date compare with the different timezones is off somehow? - <Ticket is issued before the allowed drift. Issued on [2018-10-31T16:47:51.558Z] while allowed drift is [2018-10-31T11:47:58.925-05:00[America/Chicago]]>
Maybe dev CAS and dev ADFS are same timezone and only prod is different? On Wed, Oct 31, 2018 at 12:06 PM Toby Archer <sandsl...@gmail.com> wrote: > So I've got a mysterious problem. This morning we were going to go live > with our new cas 5 servers, but when I tried to login to them, through > ADFS, my login got redirected five times and landed on an ADFS error page. > The logs looked like this: > > 2018-10-31 11:47:57,680 INFO >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Preparing to redirect to the IdP [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu]> >> 2018-10-31 11:48:08,947 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:51.558Z] while allowed drift is >> [2018-10-31T11:47:58.925-05:00[America/Chicago]]> >> 2018-10-31 11:48:08,948 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:08,948 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,253 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:56.615Z] while allowed drift is >> [2018-10-31T11:47:59.251-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,254 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,254 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,612 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.017Z] while allowed drift is >> [2018-10-31T11:47:59.610-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,612 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,613 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:09,846 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.264Z] while allowed drift is >> [2018-10-31T11:47:59.844-05:00[America/Chicago]]> >> 2018-10-31 11:48:09,847 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:09,847 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:10,122 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.532Z] while allowed drift is >> [2018-10-31T11:48:00.121-05:00[America/Chicago]]> >> 2018-10-31 11:48:10,123 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:10,124 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> 2018-10-31 11:48:10,373 WARN >> [org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential] >> - <Ticket is issued before the allowed drift. Issued on >> [2018-10-31T16:47:57.796Z] while allowed drift is >> [2018-10-31T11:48:00.359-05:00[America/Chicago]]> >> 2018-10-31 11:48:10,373 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - <SAML >> assertions are blank or no longer valid based on RP identifier [urn:cas: >> cas.usd.edu] and IdP identifier [http://adfs.usd.edu/adfs/services/trust >> ]> >> 2018-10-31 11:48:10,374 WARN >> [org.apereo.cas.support.wsfederation.web.flow.WsFederationAction] - >> <Created authentication url [ >> https://adfs.usd.edu/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas.usd.edu] >> and returning error> >> > > I discussed it with the guy who manages our ADFS instance and he asked me > if the dev cas server works. We have no dev instance of ADFS so both dev > and production hit the same ADFS server. Dev worked just fine. Login, hit > ADFS, return, successful login cas page. > > I discussed this further and he sent me the saml for both attempts. > > <saml:AudienceRestrictionCondition> >> <saml:Audience>urn:cas:cas.usd.edu</saml:Audience> >> </saml:AudienceRestrictionCondition> >> </saml:Conditions> >> <saml:AttributeStatement> >> <saml:Subject> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> <saml:Attribute AttributeName="upn" >> AttributeNamespace=" >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >> > >> >> <saml:AttributeValue>the_users_username</saml:AttributeValue> >> </saml:Attribute> >> </saml:AttributeStatement> >> > > > in production and > > <saml:AudienceRestrictionCondition> >> <saml:Audience>urn:cas:test-sso.usd.edu >> </saml:Audience> >> </saml:AudienceRestrictionCondition> >> </saml:Conditions> >> <saml:AttributeStatement> >> <saml:Subject> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> <saml:Attribute AttributeName="upn" >> AttributeNamespace=" >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; >> > >> >> <saml:AttributeValue>the_users_username</saml:AttributeValue> >> </saml:Attribute> >> > > In dev(also called test in places). The saml is the same (except for some > bits chopped off when he copied them). The only difference is the audience. > If both dev and prod weren't working this would make sense. But why only > prod? I looked at the git log and blames and the dev and production > configurations are identical except for their name. It feels like CAS gets > the saml back and it doesn't know what to do with it, so it passes the user > back to ADFS, which authenticates them again, sends them back, and round we > go. I'm utterly confused and out of ideas. Anyone have any suggestions? > > ~TA > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/917d95dd-3b14-427f-aa28-ebbad1027de5%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYC_97%3DCFYgktphB863EFPFU9pv_y-hy0_hDgt6_bzG-w%40mail.gmail.com.
