Menu
I'm using https://simplesamlphp.org/ in my app. Most of the time it's fine and there are no issues. Other times I get this:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 ssoclient/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.
Backtrace:
3 ssoclient/modules/saml/lib/Message.php:565 (sspmod_saml_Message::processAssertion)
2 ssoclient/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse)
1 ssoclient/modules/saml/www/sp/saml2-acs.php:75 (require)
0 ssoclient/www/module.php:135 (N/A)
Why would this happen, and how can I resolve it? Do I need to change my system time? ( I'm on Debian ).
910
The "problem" is known - see here - and boils down to wrong clock synchronisation between service provider and identity provider.
Probably, they are now around the time limit of 60 seconds, so that "every now and then" they fall out of sync boundary.
You can remediate this by:
There are also more creative possibilities, for example:
These two "solutions" are prone to errors and "time skipping" problems (i.e. the clock is not gently drifted from WRONG_TIME to CORRECT_TIME, it is bluntly set to the "correct" value). This may also have other nasty effects depending on other conditions/software.
Finally you can modify the modules/saml/lib/Message.php and increase the time delta, even if this is "papering over the problem", assuming that there is some process that keeps the two systems at most 60" out of sync (there are some creative timesetting schemes, not based on ntpd, that could be doing so).
82
To me it looks like a time issue, likely that is not correctly sync.
There is a tool (and also a daemon) which can keep an eye on the time for you, ntp, so you can be always sync. Install it and configure the daemon, I guess this could solve your problem.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
