Sure. Go ahead... Le lun. 16 mars 2020 à 11:02, Ganesh and Sashi Prasad <g.c.pra...@gmail.com> a écrit :
> Hi Jerome, > > Thanks for the quick response. I have a SAML certificate (captured on this > user's browser using the SAML Message Decoder Chrome plugin), but since it > pertains to a client organisation's IdP, I didn't want to attach it to a > mail addressed to a mailing list. Can I send it to you privately? > > Regards, > Ganesh > > On Mon, 16 Mar 2020 at 19:14, Jérôme LELEU <lel...@gmail.com> wrote: > >> Hi, >> >> Indeed, this kind of error is generally related to the >> *maximumAuthenticationLifetime* setting. >> >> But if only one user has an issue, it generally means that the setup is >> correct. >> >> Can you take a closer look a the SAML response he gets by enabling TRACE >> logs on org.opensaml? >> >> Thanks. >> Best regards, >> Jérôme >> >> >> >> Le lun. 16 mars 2020 à 08:25, Ganesh and Sashi Prasad < >> g.c.pra...@gmail.com> a écrit : >> >>> One of my users keeps having the same problem every time he tries to log >>> in. He gets an "Access Unauthorized" message from CAS. >>> >>> He belongs to an organisation that has its own identity provider (Okta), >>> and my setup delegates to his organisation's Okta server. >>> >>> I use CAS 5.2.9, and pac4j for delegated authentication to Okta. A SAML >>> token is sent by Okta, which pac4j validates, and if all is well, CAS >>> issues a TGC cookie. >>> >>> The mechanism works for all other users of this organisation that uses >>> Okta, but not for this one user. >>> >>> I've found an error message in the CAS logs at around the time he was >>> unable to log in: >>> >>> *org.pac4j.saml.exceptions.SAMLException: Authentication issue instant >>> is too old or in the future* >>> >>> and then a bit later >>> >>> *org.pac4j.saml.exceptions.SAMLException: No valid subject assertion >>> found in response* >>> >>> But there doesn't seem to be anything wrong with the issue instant. The >>> Okta setup renews SAML tokens every 24 hours, so I changed the CAS property >>> to be 24 hours and 5 minutes (86700 seconds): >>> >>> cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=86700 >>> >>> But this user still has problems logging in. He sees a message "Access >>> Unauthorized". He has to clear his cookies every time, and even then, he >>> isn't always able to get back in. >>> >>> Can anyone help with this? >>> >>> Regards, >>> Ganesh >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopgp47coF7743fWmStcZ_Nm346ZOKo7HTTpGys0B0KQXMQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopgp47coF7743fWmStcZ_Nm346ZOKo7HTTpGys0B0KQXMQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzi9NQYxoWt0YOi5W178yrm3BmEH-i_0QDjoYwdH-SgsQ%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lzi9NQYxoWt0YOi5W178yrm3BmEH-i_0QDjoYwdH-SgsQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopj6BAhayE%3DMpjM8Cq8w3hxr10VLndfa1-zhqCDzuOO3bw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopj6BAhayE%3DMpjM8Cq8w3hxr10VLndfa1-zhqCDzuOO3bw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzbN5U4--1EDYYgqOZGH8Uzh6AjgunF0gUtsme0mwxDgg%40mail.gmail.com.
