Assertion Expired immediately on RH-SSO with external IdP with Clock Skew

Solution Unverified - Updated -

Issue

  • We are getting a Login timeout. Please login again. message on browser after a successful redirection from external SAML IdP to RH-SSO server. The RH-SSO server.log shows the following error message:

    18:08:44,375 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.
    18:08:44,376 WARN  [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=saml-broker-authentication-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
    

Environment

  • We are seeing Login timeout. Please login again.
  • server.log shows the following error message:

    18:08:44,375 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.
    18:08:44,376 WARN  [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=saml-broker-authentication-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
    
  • The log shows "NotBefore" with a time after the log timestamp.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In