Assertion Expired immediately on Multiple Audience Restrictions on RH-SSO With External IdP

Solution Verified - Updated -

Issue

  • Seeing message in browser Login timeout. Please login again.

  • server.log shows the following error message:

    INFO  [org.keycloak.saml.validators.ConditionsValidator] (default task-11) Assertion _0123456789abcef0123456789abcef is not addressed to this SP.
ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-11) Assertion expired.
WARN  [org.keycloak.events] (default task-11) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=XYZ, clientId=null, userId=null, ipAddress=10.0.0.204, error=invalid_saml_response

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • SAML
  • External IdP (Identity Provider)
  • Successful redirection from IdP to RH-SSO server

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content