Thanks Misagh, Created an issue for it on github: https://github.com/Jasig/cas/issues/1266
--- Abhijit Gaikwad Applications Programmer | agaik...@fit.edu<mailto:agaik...@fit.edu> From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Monday, November 09, 2015 12:33 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS 4.1.1 Google Apps SAML issue Looks like there is a skewAllowance setting for SAML1 but not for SAML2. Do file an issue please. From: Abhijit Gaikwad [mailto:agaik...@fit.edu] Sent: Monday, November 9, 2015 9:31 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS 4.1.1 Google Apps SAML issue Hello, We are working on deploying CAS 4.1.1 to production and were trying to get google apps for education SSO to work. Unfortunately I get a "Google Apps - This service cannot be accessed because your login credentials have expired. Please log in and try again." Error from google. Looking around it seemed to be an issue with clocks set on servers, but I have confirmed the clock and ntp is configured correctly on the server. Looking at the saml response I noticed "NotOnOrAfter="2015-11-09T09:59:14.000Z"" is set to the current time. Which if I understand correctly means by the time it makes it to google a second has passed and the credentials have expired. We have CAS 3.5.x in production and working and looking at the saml response from it "NotOnOrAfter="2016-11-09T10:03:00Z"" the date is set to 1 year ahead so the credentials don't expire by the time it makes it to google's servers. (The date I was able to confirm both of these behavious in code: 4.1.x: https://github.com/Jasig/cas/blob/master/cas-server-support-saml-googleapps/src/main/java/org/jasig/cas/support/saml/authentication/principal/GoogleAccountsServiceResponseBuilder.java#L97 3.5.x: https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java#L178 Looking at the forums it seems appears the above configuration is working for people, although I don't see how it would if NotOnOrAfter is set to a time 1 second is the past. Am I missing something here? Any guidance will be highly appreciated. Thanks, --- Abhijit Gaikwad Applications Programmer | agaik...@fit.edu<mailto:agaik...@fit.edu> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net<mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: agaik...@fit.edu<mailto:agaik...@fit.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
