Solved: Jabber Invalid SAML Response

carlnewton · ‎08-24-2016

Hi Guys,

I have a system running UCM, IMP And Unity connection 11.0. It is fully configured for SAML SSO via microsoft ADFS.

This has been working fine for weeks but this morning we had a run of users being unable to log in, but only a few. Approx 50 users of around 400 were receiving an error message from Jabber stating "Invalid SAML response". The rest worked fine.

We are running a pair of IMP servers in active/standby mode (All users assigned to node 1)

I have checked the SSO Logs from CM and seen the following:

2016-08-24 08:18:23,791 INFO  [http-bio-443-exec-508] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXMLForExpiredCertificate:Begin
2016-08-24 08:18:23,792 INFO  [http-bio-443-exec-508] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties
2016-08-24 08:18:23,792 INFO  [http-bio-443-exec-508] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties
2016-08-24 08:18:23,795 INFO  [http-bio-443-exec-508] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXML:Begin
2016-08-24 08:18:23,795 INFO  [http-bio-443-exec-508] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXML:End
2016-08-24 08:18:23,795 INFO  [http-bio-443-exec-508] authentication.SAMLAuthenticator - SAMLAuthenticator:validateIDPXMLForExpiredCertificate:End
2016-08-24 08:18:23,997 ERROR [http-bio-443-exec-508] authentication.SAMLAuthenticator - Failed validation for conditions tag. Throwing exception.
2016-08-24 08:18:23,997 ERROR [http-bio-443-exec-508] authentication.SAMLAuthenticator - Error while processing saml response Invalid SAML Response. SAMLResponse is outside the validity window.
com.sun.identity.saml2.common.SAML2Exception: Invalid SAML Response. SAMLResponse is outside the validity window.
at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.processResponse(SAMLAuthenticator.java:102)
at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.process(SAMLAuthenticator.java:76)
at com.cisco.cpi.sso.saml.sp.security.filter.SamlFilter.doFilter(SamlFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

2016-08-24 08:18:23,999 INFO  [http-bio-443-exec-508] servlet.ErrorServlet - Dname Cisco Unified Communications Manager
2016-08-24 08:18:23,999 INFO  [http-bio-443-exec-508] servlet.ErrorServlet - Invalid SAML response. This may be caused when time is out of sync between the Cisco Unified Communications Manager and IDP servers. Please verify the NTP configuration on both servers. Run "utils ntp status" from the CLI to check this status on Cisco Unified Communications Manager.Error Message

We ran utils NTP status from the CUCM publisher and it looked ok. We re-synchronised it by resetting NTP which appeared to fix some issues but some users still remain having issues. We also noticed that visual voicemail was not working at the time.

The ADFS server in question is using the same NTP server as our UC infrastructure which is a Cisco 6500 core switch. both ADFS and our UC infrastructure show synchronised to within a few msec.

The problem appears to have calmed down somewhat now, but we do have this issue periodically across multiple users. Until now we have just closed jabber, re-opened it and it has worked the next time. This morning however the problem was much more widespread; and I believe we have an underlying problem here that needs addressing.

Has anyone experienced anything similar before or have any tips?

Thanks

Varundeep Chhatwal · ‎08-24-2016

i highly suspect this issue with NTP as you also figured it out. the logs were not in debug level so couldn't make out much from. But as you stated it problem appears again and again after sometime then i would suggest you to check the settings NotBeforeSkew on the IDP server and see what value has been configured over there.

View solution in original post

Varundeep Chhatwal · ‎08-24-2016

i highly suspect this issue with NTP as you also figured it out. the logs were not in debug level so couldn't make out much from. But as you stated it problem appears again and again after sometime then i would suggest you to check the settings NotBeforeSkew on the IDP server and see what value has been configured over there.

carlnewton · ‎08-26-2016

I think you are right there Varundeep. We used "set samltrace level debug" From the CLI and re-read the logs. We noticed that the SAML response was received by the CUCM before it actually was sent by the IDP (In theory)

2016-08-25 19:13:28,892 DEBUG [http-bio-443-exec-348] fappend.SamlLogger - SPACSUtils.getResponse: got response=<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="xxxxxx" InResponseTo="sxxxx" Version="2.0" IssueInstant="2016-08-25T18:13:29Z"

We have set the notbeforeskew to 1 minute and are monitoring for reoccurances.

Varundeep Chhatwal · ‎08-26-2016

Great. Exactly this seems to be the cause :-)

BradMarkel93582 · ‎04-19-2023

I ran into this same issue running on UCM 14.0.1 SU2. The error message in the SAML logs is a bit different but the fix is the same. Updating the idP to expand the NotOnOrAfter condition timer to 1.

2023-04-19 11:09:00,286 DEBUG [http-nio-81-exec-33] fappend.SamlLogger - SAML2Utils.isBearerSubjectConfirmation:timeskew = 300
2023-04-19 11:09:00,286 DEBUG [http-nio-81-exec-33] fappend.SamlLogger - SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Apr 19 12:09:00 PDT 2023
2023-04-19 11:09:00,287 DEBUG [http-nio-81-exec-33] fappend.SamlLogger - SAML2Utils.checkConditions: NotBefore Condition = Wed Apr 19 11:09:00 PDT 2023
2023-04-19 11:09:00,287 DEBUG [http-nio-81-exec-33] fappend.SamlLogger - SAML2Utils.checkConditions: The assertion does not meet NotOnOrAfter or NotBefore condition.

2023-04-19 11:09:00,288 ERROR [http-nio-81-exec-33] authentication.SAMLAuthenticator - Error while processing saml response The time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's Condition is invalid.