Assertion Expired immediately on RH-SSO with external IdP with Clock Skew
Issue
-
We are getting a
Login timeout. Please login again.
message on browser after a successful redirection from external SAML IdP to RH-SSO server. The RH-SSOserver.log
shows the following error message:18:08:44,375 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired. 18:08:44,376 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=saml-broker-authentication-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
-
The log shows "NotBefore" with a time after the log timestamp.
Environment
- Red Hat Single Sign-On (RH-SSO)
- 7
- SAML identity brokering with external IdP (Identity Provider)
- Successful redirection from IdP to RH-SSO server
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.