11

I'm using https://simplesamlphp.org/ in my app. Most of the time it's fine and there are no issues. Other times I get this:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 ssoclient/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Received an assertion that is valid in the future. Check clock synchronization on IdP and SP. 
Backtrace:
3 ssoclient/modules/saml/lib/Message.php:565 (sspmod_saml_Message::processAssertion)
2 ssoclient/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse)
1 ssoclient/modules/saml/www/sp/saml2-acs.php:75 (require)
0 ssoclient/www/module.php:135 (N/A)

Why would this happen, and how can I resolve it? Do I need to change my system time? ( I'm on Debian ).

meder omuraliev
  • 183,342
  • 71
  • 393
  • 434

2 Answers2

11

The "problem" is known - see here - and boils down to wrong clock synchronisation between service provider and identity provider.

Probably, they are now around the time limit of 60 seconds, so that "every now and then" they fall out of sync boundary.

You can remediate this by:

  • (best) syncing both systems to the same, known time base via ntpd.
  • slaving one of the two systems' clock to the other.

There are also more creative possibilities, for example:

These two "solutions" are prone to errors and "time skipping" problems (i.e. the clock is not gently drifted from WRONG_TIME to CORRECT_TIME, it is bluntly set to the "correct" value). This may also have other nasty effects depending on other conditions/software.

Finally you can modify the modules/saml/lib/Message.php and increase the time delta, even if this is "papering over the problem", assuming that there is some process that keeps the two systems at most 60" out of sync (there are some creative timesetting schemes, not based on ntpd, that could be doing so).

Community
  • 1
  • 1
LSerni
  • 55,617
  • 10
  • 65
  • 107
  • Any harm at increasing time in modules/saml/lib/Message.php when we are using SimpleSAML for authentication and later handle separate session at application level? – AnkitK Aug 16 '18 at 06:08
  • It is not a very clean solution, and you will have to maintain it. If at all possible, tackle the real problem: synchronize the clocks. – LSerni Aug 16 '18 at 06:59
2

To me it looks like a time issue, likely that is not correctly sync.

There is a tool (and also a daemon) which can keep an eye on the time for you, ntp, so you can be always sync. Install it and configure the daemon, I guess this could solve your problem.

javier_domenech
  • 5,995
  • 6
  • 37
  • 59