Thanks, let me try it... On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski <aj...@buffalo.edu> wrote:
> Ask whoever runs the IDP to add a skew or offset to the relationship that > you’re using. > > > > It is not feasible for the things to be exactly in sync to high precision > at all times, and this comes up using timing from VMWare, mixed sources etc. > > > > With ADFS the property is NotBeforeSkew, which you can give a minute or > whatever you’re comfortable with, which should alleviate this issue. > > > > Best, > > > > Adam Pawlowski > > > > > > > > *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> *On Behalf Of > *Jonathan > Charles > *Sent:* Friday, September 17, 2021 9:00 AM > *To:* Kent Roberts <k...@fredf.org> > *Cc:* cisco-voip@puck.nether.net > *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response > > > > The error message in the Cisco traces (SSO) is: > > > > 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - > SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 > UTC 2021 *- this time is 17:07:44 CDT* > > 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - > SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC > 2021 *- this time is 16:07:44 CDT* > > > > 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] > authentication.SAMLAuthenticator - Error while processing saml response The > time in the Assertion's Condition is invalid. > com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's > Condition is invalid. > > > > Basically what appears to be occurring is we get a NotBefore of 1 second > after our request came in (16:07:43) and it gets killed.... > > > > The real question is what they need to do on the ADFS side to fix this... > why are they sending us a time in the future? The argument is NTP is off by > one second for one of the servers (all of them show synched)... > > > > > > Jonathan > > > > On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts <k...@fredf.org> wrote: > > Oh, ok if I mis-understood then, yes a SAML trace would be good, as well > as knowing is this new or did it work. Seems similar to what I have seen > in UCCE with the packet stuff not signed or wrong encryption type… course > thats UCCE vs CUCM, but usually cucm just works… > > > > > > On Sep 16, 2021, at 6:45 PM, Johnson, Tim <johns...@cmich.edu> wrote: > > > > Nah, looks like he said logging into CCM Admin pages, with AD accounts, so > all areas of the web UI (I believe). The NTP errors that I’ve seen are > presented as SAML assertion errors. > > > > I’m curious if this is a new SSO config, or if it was working properly and > something’s changed. > > > > *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> *On Behalf Of *Kent > Roberts > *Sent:* Thursday, September 16, 2021 8:37 PM > *To:* Matthew Loraditch <mloradi...@heliontechnologies.com> > *Cc:* cisco-voip@puck.nether.net > *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response > > > > Remember he said it also was happening on the CUCM Admin account which has > nothing to do with SSO/SAML. So means its most likely internal to cucm... > > > > On Sep 16, 2021, at 4:36 PM, Matthew Loraditch < > mloradi...@heliontechnologies.com> wrote: > > > > The logs are pretty clear when its a time difference as the error. I’ve > not seen it randomly occur but definitely the error will be it’s time and > may even show the difference. > > > > Its the 4j log file for sso I believe > > > > Get Outlook for iOS > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D&reserved=0> > > > > *Matthew Loraditch*** > > *Sr. Network Engineer* > > *(He/Him/His)* > > p: *443.541.1518* <443.541.1518> > > w: *www.heliontechnologies.com* > <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D&reserved=0> > > | > > e: *mloradi...@heliontechnologies.com* <mloradi...@heliontechnologies.com> > > <image657209.png> > <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=CdLKOTY3ZcCR9womF6wlOY6Im8RHC9Na6NkKQvLKjnk%3D&reserved=0> > > <image487691.png> > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fatJj8XLG3VtCaEsjQ1W63TsC3bg%2BqxK0Y%2FoSis459A%3D&reserved=0> > > <image529913.png> > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441808197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WkZXjBTTiA6DJ0wsUiPqQ3NEE3Q%2FPnv56rQ4t7UzmX4%3D&reserved=0> > > <image776611.png> > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fhelion-technologies&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bfoWXKNlvRYyT1LghENvfegHTWdy3e26GZm4H0wW2Bo%3D&reserved=0> > ------------------------------ > > *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> on behalf of > Lelio Fulgenzi <le...@uoguelph.ca> > *Sent:* Thursday, September 16, 2021 4:32:12 PM > *To:* Jonathan Charles <jonv...@gmail.com>; Benjamin Turner < > benmtur...@hotmail.com> > *Cc:* cisco-voip@puck.nether.net <cisco-voip@puck.nether.net> > *Subject:* Re: [cisco-voip] Error Processing SAML Response > > > > > > [EXTERNAL] > > > > > > Have you been able to confirm the time difference? > > > > I’m not trying to take their side of things, but if it’s minutes off, I > wouldn’t doubt that’s possible. SSO is highly secure, right? A time > difference might be enough to throw it off? > > > > Here’s reference: > > > > > https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.pingidentity.com%2Fs%2Farticle%2FAccounting-for-Time-Drift-Between-SAML-Endpoints50907&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y0eG9Ol%2Bk%2FORNNl1SayhCejzMfOSzJqldNLDpathMuI%3D&reserved=0> > > > > > > > > *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> *On Behalf Of > *Jonathan > Charles > *Sent:* Thursday, September 16, 2021 6:23 PM > *To:* Benjamin Turner <benmtur...@hotmail.com> > *Cc:* cisco-voip@puck.nether.net > *Subject:* Re: [cisco-voip] Error Processing SAML Response > > > > *CAUTION:* This email originated from outside of the University of > Guelph. Do not click links or open attachments unless you recognize the > sender and know the content is safe. If in doubt, forward suspicious emails > to ith...@uoguelph.ca > > > > No... TBH, I have never heard of it... > > > > TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC > and ADFS... > > > > > > Jonathan > > > > On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <benmtur...@hotmail.com> > wrote: > > Have you tried to run a SAML Tracer? > > > > Sincerely, > Benjamin M. Turner > ------------------------------ > > *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> on behalf of > Jonathan Charles <jonv...@gmail.com> > *Sent:* Thursday, September 16, 2021 4:56:48 PM > *To:* cisco-voip@puck.nether.net <cisco-voip@puck.nether.net> > *Subject:* [cisco-voip] Error Processing SAML Response > > > > So, users are randomly getting the above error when logging into CUCM > UCMUser or CUC Inbox... we are also getting it using AD credentials into > admin pages for CUCM/CUC/etc. > > > > For a user, it will work find repeatedly, then you will get the error, > close your browser, and reopen, still get the error for a few minutes. Then > later it will work. When a user is affected, other users work fine. > > > > TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP > (ADFS 2.0) is fine. > > > > Pings are around 1ms between servers. > > > > Any ideas? > > > > > > Jonathan > > > > > > > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441828188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fuo8Su5KRFqH66Rs6dvG3sr9oMn9WfO22Zea71mBssc%3D&reserved=0> > > > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441838182%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mco%2B8WqxUFyYE0I2abCKnh2WJL8iT7QV29j4%2Bg0Doos%3D&reserved=0> > >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip