Page tree
Skip to end of metadata
Go to start of metadata

Problem

You cannot login due to the session timeout of the SAML Response

org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
  at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
...
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2017-02-09T21:45:09.000Z
  at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538)
  at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306)
  at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)


Solution

Adjust the MaxAuthentication Age 

Change the maxAuthentication Age according to you IdPServer


  • Google G-Suite : 30 days : 2592000 seconds
  • ADFS : 8 hours or 10 hours : 36000 seconds
  • SimpleSAMLPhp : 8 hours : 28800 seconds ( see session.duration in /var/simplesamlphp/config/config.php)