NAM SAML 2 Identity Server generating assertion for Ping Identity SP
When assertion sent to ACS, SSO fails with standard error message about not being able to login
Debugging SP shows following message:
(reference# IJZGAXII) Response contains no valid assertions: [
Assertion (idxmi5oIRwBvZ0JPSxxmmdJadH8tc) Status: INVALID
(Profiles 18.104.22.168) assertion could not be confirmed - here's why: [#1 subject confirmation is unsatisfactory: [Time condition: for security reasons NotOnOrAfter (2016-09-26T23:38:29Z) cannot be more than 74 minutes ahead of the current time (2016-09-26T19:38:33.061Z)]]]. InMessageContext
Looking at the assertion, we see multiple time constraints which seems to invalidate the assertion. Specifically, the saml:SubjectConfirmation NotOnOrAfter value is outside (after) of the timeframe in the saml Conditions NotOnOrAfter value and it is the Conditions element that controls the overall validity of the assertion. I highlighted below the times in question taken from assertion.
<saml:SubjectConfirmationData InResponseTo="bADTj-ddzziVjs.emIFXySxXMa6" NotOnOrAfter="2016-09-28T19:16:55Z"
<saml:Conditions NotBefore="2016-09-28T15:11:55Z" NotOnOrAfter="2016-09-28T15:21:55Z">
The SubjectConfirmationData timeout is related to users session timeout - set to 4 hours. So that would explain why the value in the confirmation data is exactly four hours ahead of the conditions value.
Look at this site:
it references the timeouts and SAML specs.
1. Leave out the SubjectConfirmation (parent to SubjectConfirmationData) element entirely as it is optional.
2. Include the SubjectConfirmation and leave out the SubjectConfirmationData element as it is optional.
3. Include the SubjectConfirmationData element and leave out the NotOnOrAfter attribute as it is optional.
4. Adjust the SubjectConfirmationData attributes (NotBefore and/or the NotOnOrAfter) time values so they are within the times specified by the Conditions element.â