Time skew issue?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Time skew issue?

ekinseyjr
I'm running into an issue wherein the AuthnInstant value is preceding the NotBefore value, and I'm working on the assumption (unconfirmed) that the app with which I'm integrating (Webex) won't authenticate because it thinks I'm asking for access before the ticket is valid.  For instance, I'm getting the following:

AuthnInstant = "2018-05-07T13:43:18.310Z"
NotBefore    = "2018-05-07T13:43:18.932Z"
NotOnOrAfter = "2018-05-07T13:48:18.932Z"

Which makes is look like I'm asking for access about 3/4 of a second too soon.  I got a tip that this might have to do with a time "skew" that could be set in the IdP, and I found a couple of places that might be modified to address this issue; one is in the conf/idp.properties file's setting:

idp.policy.clockSkew = PT3M

Which was commented out.  Thinking this might fix my problem, I uncommented it, restarted my instance, and got the same kind of results.  Was this the wrong thing to change, or was there something else in that file which would also need to change?

The other thing I found is a reference here:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML

Which talks about a file called "shibboleth2.xml" that doesn't exist on my installation.  There's some discussion about an element called "clockSkew" that would be set in this file - is this the right place to adjust/set the skew value?  If so, is the file in question a non-standard part of the Shibboleth deployment that I need to create for myself?  As always, any assistance would be much appreciated.

Thanks,
Ernest K. Kinsey, Jr.
Central Piedmont Community College
Charlotte, NC

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Time skew issue?

Boyd, Todd M.
I can't speak to the IdP configuration, but the wiki page you linked is for the Shibboleth service provider, not the Shibboleth identity provider. They are two completely separate applications which each represent a different piece of the authentication process. The IdP provides the identity, and the SP consumes it.

-Todd


-----Original Message-----
From: users <[hidden email]> On Behalf Of Ernie Kinsey
Sent: Monday, May 07, 2018 10:18 AM
To: Shib Users <[hidden email]>
Subject: Time skew issue?

I'm running into an issue wherein the AuthnInstant value is preceding the NotBefore value, and I'm working on the assumption (unconfirmed) that the app with which I'm integrating (Webex) won't authenticate because it thinks I'm asking for access before the ticket is valid.  For instance, I'm getting the following:

AuthnInstant = "2018-05-07T13:43:18.310Z"
NotBefore    = "2018-05-07T13:43:18.932Z"
NotOnOrAfter = "2018-05-07T13:48:18.932Z"

Which makes is look like I'm asking for access about 3/4 of a second too soon.  I got a tip that this might have to do with a time "skew" that could be set in the IdP, and I found a couple of places that might be modified to address this issue; one is in the conf/idp.properties file's setting:

idp.policy.clockSkew = PT3M

Which was commented out.  Thinking this might fix my problem, I uncommented it, restarted my instance, and got the same kind of results.  Was this the wrong thing to change, or was there something else in that file which would also need to change?

The other thing I found is a reference here:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML

Which talks about a file called "shibboleth2.xml" that doesn't exist on my installation.  There's some discussion about an element called "clockSkew" that would be set in this file - is this the right place to adjust/set the skew value?  If so, is the file in question a non-standard part of the Shibboleth deployment that I need to create for myself?  As always, any assistance would be much appreciated.

Thanks,
Ernest K. Kinsey, Jr.
Central Piedmont Community College
Charlotte, NC

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Time skew issue?

Peter Schober
In reply to this post by ekinseyjr
* Ernie Kinsey <[hidden email]> [2018-05-07 17:19]:
> The other thing I found is a reference here:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML
>
> Which talks about a file called "shibboleth2.xml" that doesn't exist
> on my installation.

That relates to the Shibboleth SP ("Service Provider") software,
whereas you're concerned with the IDP ("Identity Provider") software,
both from the Shibboleth project.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Time skew issue?

Peter Schober
In reply to this post by ekinseyjr
* Ernie Kinsey <[hidden email]> [2018-05-07 17:19]:

> I'm running into an issue wherein the AuthnInstant value is
> preceding the NotBefore value, and I'm working on the assumption
> (unconfirmed) that the app with which I'm integrating (Webex) won't
> authenticate because it thinks I'm asking for access before the
> ticket is valid.  For instance, I'm getting the following:
>
> AuthnInstant = "2018-05-07T13:43:18.310Z"
> NotBefore    = "2018-05-07T13:43:18.932Z"
> NotOnOrAfter = "2018-05-07T13:48:18.932Z"
>
> Which makes is look like I'm asking for access about 3/4 of a second
> too soon.

No, AuthnInstant is the time when you authenticated to the IDP.
With a long(er)-lived SSO session that could be hours before trying to
access a given SP.

NotBefore and NotOnOrAfter are from the Conditions element and
describe the Assertion validity period, i.e., when the SP should
accept the whole SAML Assertion.

None of that explains what happended, but the above misinterpretation
seems to be based on guessing (incorrectly assuming that AuthnInstant
would have to be within the values of NotBefore and NotOnOrAfter),
not on looking up those terms in the SAML spec,
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf

-peter

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Time skew issue?

ekinseyjr
In reply to this post by Peter Schober
Peter/Todd,

That makes sense since I’m really only interested in the IdP.  Whenever I hear “Service Provider” I automatically think of the service I want to authenticate to, not the Shibboleth Service Provider.  Thanks for the clarification.

Ernest K. Kinsey, Jr.
Central Piedmont Community College
Charlotte, NC

On 5/7/18, 11:23 AM, "Peter Schober" <[hidden email]> wrote:

    * Ernie Kinsey <[hidden email]> [2018-05-07 17:19]:
    > The other thing I found is a reference here:
    >
    > https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPShibbolethXML
    >
    > Which talks about a file called "shibboleth2.xml" that doesn't exist
    > on my installation.

    That relates to the Shibboleth SP ("Service Provider") software,
    whereas you're concerned with the IDP ("Identity Provider") software,
    both from the Shibboleth project.

    -peter
    --
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to [hidden email]



________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]