Problem
You cannot login due to the session timeout of the SAML Response
org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229) ... Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2017-02-09T21:45:09.000Z at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
Solution
Adjust the MaxAuthentication Age
Change the maxAuthentication Age according to you IdPServer
- Google G-Suite : 30 days : 2592000 seconds
- ADFS : 8 hours or 10 hours : 36000 seconds
- SimpleSAMLPhp : 8 hours : 28800 seconds ( see session.duration in /var/simplesamlphp/config/config.php)
Related articles