Assertion Expired immediately on Multiple Audience Restrictions on RH-SSO With External IdP

Solution Verified - Updated -

Issue

  • Seeing message in browser Login timeout. Please login again.
  • server.log shows the following error message:

    INFO  [org.keycloak.saml.validators.ConditionsValidator] (default task-11) Assertion _0123456789abcef0123456789abcef is not addressed to this SP.
    ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-11) Assertion expired.
    WARN  [org.keycloak.events] (default task-11) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=XYZ, clientId=null, userId=null, ipAddress=10.0.0.204, error=invalid_saml_response
    

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • SAML
  • External IdP (Identity Provider)
  • Successful redirection from IdP to RH-SSO server

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In