SAML invalid timestamp.
-
Hi!
Situation:
Few months ago my I set up a FA installation hosted in FA servers. Then I set a SAMLv2 IDP configuration, and in the end ran perfect.Now I set the same configuration for the same IDP in a FA installation (1.27.2) hosted in our servers.
However, this configuration does not work correctly this time. I have contacted the IDP manager, and he said that the timestamp in the AuthNRequest is invalid. So, I checked the server and database timezone configurations, and set everything to UTC, as SAMLv2 demands, and then rebooted everything. No effect from this.
Then I realized that the event logs in the FA server shows a different time (UTC) from ours (CEST).
FA hosted server:
Our server:
Do you have any ideas on how I can change or set that timezone? Since I think this is the reason why the SAML conection is not working.
Thank you!
-
Hi again!
For the record, I just found the solution.
Fusionauth config is taken from JVM variables, as explained here. These can be chaged with the fusionauth-search.additional-java-args property, specified in the fusionauth.properties file like so:
fusionauth-search.additional-java-args="-Duser.timezone=UTC".
Then everything is working and compliant with SAMLv2 timestamps. Hope this helps someone else some day.
-
Thanks!! This may be a bug, we’ll open an issue to track.
-
We opened a bug and reviewed our SAML code and were unable to replicate the issue.
Here's the bug: https://github.com/FusionAuth/fusionauth-issues/issues/1486
If you can add any replication steps or other information to this bug, that would be very helpful. Otherwise we'll close it out in a week or so.
-
-
@dan said in SAML invalid timestamp.:
We opened a bug and reviewed our SAML code and were unable to replicate the issue.
Here's the bug: https://github.com/FusionAuth/fusionauth-issues/issues/1486
If you can add any replication steps or other information to this bug, that would be very helpful. Otherwise we'll close it out in a week or so.