Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37289

authentication issue instant is too old or in the future

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Authenticating with Azure AD (cloud-only) returns:
      "authentication issue instant is too old or in the future" in the Jenkins log.
      I've read that Azure AD auth tokens last 1 hour and refresh tokens last 24 hours,
      SAML Max lifetime is set to default (24*60*60 = 86400)

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            It is fixed in SAML Plugin 1.0.0-SNAPSHOT, I just tested it with an Authentication Lifetime of 100 days

            <saml:AuthnStatement AuthnInstant="2017-08-03T11:34:55Z" SessionNotOnOrAfter="2017-11-11T11:34:55Z" SessionIndex="_739f347824be6192e2f02f2319febb3cf26497d493">
            <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
            </saml:AuthnStatement>
            

             

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - It is fixed in SAML Plugin 1.0.0-SNAPSHOT, I just tested it with an Authentication Lifetime of 100 days <saml:AuthnStatement AuthnInstant= "2017-08-03T11:34:55Z" SessionNotOnOrAfter= "2017-11-11T11:34:55Z" SessionIndex= "_739f347824be6192e2f02f2319febb3cf26497d493" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>  
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            1.0.0 version released

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - 1.0.0 version released
            Hide
            spike777 Yaniv R added a comment -

            Still occurring in the newest version.

             

            org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old or in the future
            at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAuthenticationStatements(SAML2DefaultResponseValidator.java:620)
            at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:393)
            at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302)
            at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138)
            at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77)
            at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35)
            at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225)
            at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60)
            at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106)
            at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:53)
            at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:33)
            at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:65)
            at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:265)
            at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
            at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
            at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
            at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
            at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
            at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
            at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
            at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
            at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
            at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
            at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
            at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
            at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
            at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
            at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
            at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
            at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
            at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
            at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
            at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
            at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
            at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
            at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
            at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
            at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
            at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
            at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
            at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
            at org.eclipse.jetty.server.Server.handle(Server.java:499)
            at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
            at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
            at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
            at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at java.lang.Thread.run(Thread.java:745)

            Show
            spike777 Yaniv R added a comment - Still occurring in the newest version.   org.pac4j.saml.exceptions.SAMLException: Authentication issue instant is too old or in the future at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAuthenticationStatements(SAML2DefaultResponseValidator.java:620) at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateAssertion(SAML2DefaultResponseValidator.java:393) at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlSSOResponse(SAML2DefaultResponseValidator.java:302) at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:138) at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:77) at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:35) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:225) at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:60) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:106) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:53) at org.jenkinsci.plugins.saml.SamlProfileWrapper.process(SamlProfileWrapper.java:33) at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:65) at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:265) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            Take a look to the wiki page of the plugin and enable the loggers to see the SAMLResponse message check the date time of the assertions and the time sync of your Jenkins with the SAML service

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - Take a look to the wiki page of the plugin and enable the loggers to see the SAMLResponse message check the date time of the assertions and the time sync of your Jenkins with the SAML service
            Hide
            spike777 Yaniv R added a comment -

            Here is the field, doesn't look like the times are different, anything else I need to look at?

             

             

            <samlp:Response ID="1111" Version="2.0" IssueInstant="2017-08-23T10:45:50.662Z" Destination="https://jenkins_address:8443/securityRealm/finishLogin" InResponseTo="aaaaa"
             xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
             <Issuer
             xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/1111/
             </Issuer>
             <samlp:Status>
             <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
             </samlp:Status>
             <Assertion ID="_11111" IssueInstant="2017-08-23T10:45:50.646Z" Version="2.0"
             xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
             <Issuer>https://sts.windows.net/11111/</Issuer>
             <Signature
             xmlns="http://www.w3.org/2000/09/xmldsig#">
             <SignedInfo>
             <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
             <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
             <Reference URI="#_11111">
             <Transforms>
             <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
             <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
             </Transforms>
             <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
             <DigestValue>111111=</DigestValue>
             </Reference>
             </SignedInfo>
             <SignatureValue>1111==</SignatureValue>
             <KeyInfo>
             <X509Data>
            
            Show
            spike777 Yaniv R added a comment - Here is the field, doesn't look like the times are different, anything else I need to look at?     <samlp:Response ID= "1111" Version= "2.0" IssueInstant= "2017-08-23T10:45:50.662Z" Destination= "https: //jenkins_address:8443/securityRealm/finishLogin" InResponseTo= "aaaaa" xmlns:samlp= "urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns= "urn:oasis:names:tc:SAML:2.0:assertion" >https: //sts.windows.net/1111/ </Issuer> <samlp:Status> <samlp:StatusCode Value= "urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID= "_11111" IssueInstant= "2017-08-23T10:45:50.646Z" Version= "2.0" xmlns= "urn:oasis:names:tc:SAML:2.0:assertion" > <Issuer>https: //sts.windows.net/11111/</Issuer> <Signature xmlns= "http: //www.w3.org/2000/09/xmldsig#" > <SignedInfo> <CanonicalizationMethod Algorithm= "http: //www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm= "http: //www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI= "#_11111" > <Transforms> <Transform Algorithm= "http: //www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm= "http: //www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm= "http: //www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>111111=</DigestValue> </Reference> </SignedInfo> <SignatureValue>1111==</SignatureValue> <KeyInfo> <X509Data>

              People

              Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              stradenko C
              Votes:
              4 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: