"Sorry you don't have access" - clock skew and assertion lifetime
Problem
Users are unable to log in and they see the below message.
This is a generic message and requires further investigation to determine if this is the clock skew and assertion lifetime issue.
What does this clock skew and assertion lifetime issue mean?
The computer clock for the server hosting your website and the computer clock for the server hosting your login site are out of sync. The login request recorded by the website server has a different timestamp than the login site server or Identity Provider like ADFS.
If you are using a custom SAML provider:
You can look at the Identity Provider logs to retrieve relevant log messages. For example, if you use ADFS and see the below log message, then the clock skew issue applies to you.
Exception: ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML assertion is outside the valid time period.
If you are a self-hosted client and are integrating with AD:
If you have an admin user who can still access the site, go to Admin Panel > System Logs. If you find an error that looks something like the one below, then the clock skew issue applies to you. Else, contact ThoughtFarmer.
Error while processing SAML Response. Access Denied. - General - "1234578-1234-1234-1234-123456789012" - "OpenRoad.ThoughtFarmer.Web8" ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML assertion is outside the valid time period. at ComponentSpace.SAML2.InternalSAMLServiceProvider.CheckConditions(SAMLAssertion samlAssertion) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLAssertion(SAMLAssertion samlAssertion, String& userName, SAMLAttribute[]& attributes) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState) at OpenRoad.ThoughtFarmer.Web8.Areas.Auth.Controllers.SAMLController.AssertionConsumerService() in c:\BuildAgent2\work\afd7230e597b25a9\OpenRoad.ThoughtFarmer.Web8\Areas\Auth\Controllers\SAMLController.cs:line 114
If you are a cloud client:
Open a Support request with us for further assistance.
Solution
Short-term workaroundThere is a ThoughtFarmer config to allow for a wider difference in the website and login provider computer clocks. The config is called "authentication.assertionClockSkew" and is found in Admin Panel > Configuration Settings. Try setting it to 5, this means to allow a difference of up to 5 minutes. After you apply the long-term fix below, you can revert the config back to 0.
Long-term fix
Make sure the web and login provider computer clocks are synched with NIST time or something similar.
Make sure the web and login provider computer clocks are synched with NIST time or something similar.
Comments
0 comments
Please sign in to leave a comment.