Keep us updated on the outcome. This is a good learning experience for all of us.
Sent from my iPhone On Sep 17, 2021, at 3:18 PM, Jonathan Charles <[email protected]> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to [email protected] Thanks, let me try it... On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski <[email protected]<mailto:[email protected]>> wrote: Ask whoever runs the IDP to add a skew or offset to the relationship that you’re using. It is not feasible for the things to be exactly in sync to high precision at all times, and this comes up using timing from VMWare, mixed sources etc. With ADFS the property is NotBeforeSkew, which you can give a minute or whatever you’re comfortable with, which should alleviate this issue. Best, Adam Pawlowski From: cisco-voip <[email protected]<mailto:[email protected]>> On Behalf Of Jonathan Charles Sent: Friday, September 17, 2021 9:00 AM To: Kent Roberts <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [cisco-voip] [External] Error Processing SAML Response The error message in the Cisco traces (SSO) is: 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 2021 - this time is 17:07:44 CDT 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 2021 - this time is 16:07:44 CDT 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] authentication.SAMLAuthenticator - Error while processing saml response The time in the Assertion's Condition is invalid. com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's Condition is invalid. Basically what appears to be occurring is we get a NotBefore of 1 second after our request came in (16:07:43) and it gets killed.... The real question is what they need to do on the ADFS side to fix this... why are they sending us a time in the future? The argument is NTP is off by one second for one of the servers (all of them show synched)... Jonathan On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts <[email protected]<mailto:[email protected]>> wrote: Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as knowing is this new or did it work. Seems similar to what I have seen in UCCE with the packet stuff not signed or wrong encryption type… course thats UCCE vs CUCM, but usually cucm just works… On Sep 16, 2021, at 6:45 PM, Johnson, Tim <[email protected]<mailto:[email protected]>> wrote: Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all areas of the web UI (I believe). The NTP errors that I’ve seen are presented as SAML assertion errors. I’m curious if this is a new SSO config, or if it was working properly and something’s changed. From: cisco-voip <[email protected]<mailto:[email protected]>> On Behalf Of Kent Roberts Sent: Thursday, September 16, 2021 8:37 PM To: Matthew Loraditch <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: [External] Re: [cisco-voip] Error Processing SAML Response Remember he said it also was happening on the CUCM Admin account which has nothing to do with SSO/SAML. So means its most likely internal to cucm... On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <[email protected]<mailto:[email protected]>> wrote: The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s time and may even show the difference. Its the 4j log file for sso I believe Get Outlook for iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D&reserved=0> Matthew Loraditch Sr. Network Engineer (He/Him/His) p: 443.541.1518<tel:443.541.1518> w: www.heliontechnologies.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D&reserved=0> | e: [email protected]<mailto:[email protected]> <image657209.png><https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=CdLKOTY3ZcCR9womF6wlOY6Im8RHC9Na6NkKQvLKjnk%3D&reserved=0> <image487691.png><https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fatJj8XLG3VtCaEsjQ1W63TsC3bg%2BqxK0Y%2FoSis459A%3D&reserved=0> <image529913.png><https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fheliontech&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441808197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=WkZXjBTTiA6DJ0wsUiPqQ3NEE3Q%2FPnv56rQ4t7UzmX4%3D&reserved=0> <image776611.png><https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fhelion-technologies&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bfoWXKNlvRYyT1LghENvfegHTWdy3e26GZm4H0wW2Bo%3D&reserved=0> ________________________________ From: cisco-voip <[email protected]<mailto:[email protected]>> on behalf of Lelio Fulgenzi <[email protected]<mailto:[email protected]>> Sent: Thursday, September 16, 2021 4:32:12 PM To: Jonathan Charles <[email protected]<mailto:[email protected]>>; Benjamin Turner <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [cisco-voip] Error Processing SAML Response [EXTERNAL] Have you been able to confirm the time difference? I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off? Here’s reference: https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.pingidentity.com%2Fs%2Farticle%2FAccounting-for-Time-Drift-Between-SAML-Endpoints50907&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441818192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Y0eG9Ol%2Bk%2FORNNl1SayhCejzMfOSzJqldNLDpathMuI%3D&reserved=0> From: cisco-voip <[email protected]<mailto:[email protected]>> On Behalf Of Jonathan Charles Sent: Thursday, September 16, 2021 6:23 PM To: Benjamin Turner <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [cisco-voip] Error Processing SAML Response CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to [email protected]<mailto:[email protected]> No... TBH, I have never heard of it... TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS... Jonathan On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <[email protected]<mailto:[email protected]>> wrote: Have you tried to run a SAML Tracer? Sincerely, Benjamin M. Turner ________________________________ From: cisco-voip <[email protected]<mailto:[email protected]>> on behalf of Jonathan Charles <[email protected]<mailto:[email protected]>> Sent: Thursday, September 16, 2021 4:56:48 PM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [cisco-voip] Error Processing SAML Response So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc. For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine. TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine. Pings are around 1ms between servers. Any ideas? Jonathan _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441828188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fuo8Su5KRFqH66Rs6dvG3sr9oMn9WfO22Zea71mBssc%3D&reserved=0> _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441838182%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=mco%2B8WqxUFyYE0I2abCKnh2WJL8iT7QV29j4%2Bg0Doos%3D&reserved=0> _______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
