FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML invalid timestamp.

    Scheduled Pinned Locked Moved
    Q&A
    4
    6
    3.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joseantonio
      last edited by

      Hi!

      Situation:
      Few months ago my I set up a FA installation hosted in FA servers. Then I set a SAMLv2 IDP configuration, and in the end ran perfect.

      Now I set the same configuration for the same IDP in a FA installation (1.27.2) hosted in our servers.

      However, this configuration does not work correctly this time. I have contacted the IDP manager, and he said that the timestamp in the AuthNRequest is invalid. So, I checked the server and database timezone configurations, and set everything to UTC, as SAMLv2 demands, and then rebooted everything. No effect from this.

      Then I realized that the event logs in the FA server shows a different time (UTC) from ours (CEST).

      FA hosted server:

      02500988-5885-4eb9-86bc-0b0b640231c1-image.png

      Our server:

      f2a19e08-6931-4f1c-b620-a33f0dcfb411-image.png

      Do you have any ideas on how I can change or set that timezone? Since I think this is the reason why the SAML conection is not working.

      Thank you!

      1 Reply Last reply Reply Quote 0
      • J
        joseantonio
        last edited by

        Hi again!

        For the record, I just found the solution.

        Fusionauth config is taken from JVM variables, as explained here. These can be chaged with the fusionauth-search.additional-java-args property, specified in the fusionauth.properties file like so:

        fusionauth-search.additional-java-args="-Duser.timezone=UTC".

        Then everything is working and compliant with SAMLv2 timestamps. Hope this helps someone else some day.

        robotdanR 1 Reply Last reply Reply Quote 2
        • robotdanR
          robotdan @joseantonio
          last edited by

          @joseantonio

          Thanks!! This may be a bug, we’ll open an issue to track.

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @robotdan
            last edited by

            @joseantonio

            We opened a bug and reviewed our SAML code and were unable to replicate the issue.

            Here's the bug: https://github.com/FusionAuth/fusionauth-issues/issues/1486

            If you can add any replication steps or other information to this bug, that would be very helpful. Otherwise we'll close it out in a week or so.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            J S 2 Replies Last reply Reply Quote 0
            • J
              joseantonio @dan
              last edited by

              Hi @dan !

              I'm sorry, the only thing I can say is that setting

              fusionauth-search.additional-java-args="-Duser.timezone=UTC"

              solved the issue for me.

              If that's already solved, I guess it can be closed.

              Thanks @dan and @robotdan for reviewing issues!

              1 Reply Last reply Reply Quote 1
              • S
                summercurrants @dan
                last edited by

                @dan said in SAML invalid timestamp.:

                @joseantonio

                We opened a bug and reviewed our SAML code and were unable to replicate the issue.

                Here's the bug: https://github.com/FusionAuth/fusionauth-issues/issues/1486

                If you can add any replication steps or other information to this bug, that would be very helpful. Otherwise we'll close it out in a week or so.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post