SAML tokens and too much accuracy on clients
Having multiple clients not being able to log in we discovered that our ADFS tokens NotBefore date is maybe too accurate for some very picky clients. Let's add some tolerance.
Today we had an issue that affected some of our SAML clients. The SAML clients have been for example some services running on one of our Kubernetes clusters while the IdP has been ADFS.
The error message shown in the rails applications has been:
(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition (2023-12-15 07:08:15 UTC < 2023-12-15 07:08:15 UTC - 1s)If you check the logs very precicely we're hitting an offset of 1 second. The background is:
- Client is redirected to the IdP
- SAML token is issued with NotBefore = now()
- Client validates the token (with a small tolerance)
So now it seems that we're having a slight offset on the time sync (offset > 1 second) so that we're hitting the issue.
We've two ways to solve this:
Fix timesync
Obviously we should not have a skew in time when NTP is in use (which is the case).
Configure some tolerance (ADFS)
My preferred approach in this case is to allow some minor tolerance by adding a skew on the NotBefore date on ADFS. Practically I would accept ~30 seconds because everything above should not happen in practice.
To configure the tolerance on ADFS, you can use the command:
Set-ADFSRelyingPartyTrust -TargetIdentifier "<replying party identifier>" -NotBeforeSkew 1Or to configure it just for all trusts:
(Get-ADFSRelyingPartyTrust).Identifier |% { Set-ADFSRelyingPartyTrust -TargetIdentifier $_ -NotBeforeSkew 1 }This will apply an allowed skew of one minute to all issued tokens (by reducing the NotBefore date attribute with the NotBeforeSkew value [in minutes]).
So, nothing big - just some small fix ;-)
