Hi Ray, Thanks for the quick response, I have got the users to check the time on their PC plus I have checked the CAS server and all seem to be in sync. Also, the users have noticed that if they use a different browser they can login, I have had users switch from Chrome to Firefox on the same PC and they can login.
I have tried getting them to clear their browser cache but they still experience the same issue. I have found some similar issues with Azure AD and pac4j here: https://groups.google.com/g/pac4j-users/c/G4Cn5j0XDm4 where the user set the max auth lifetime really high but again was advised this is not a good idea. I will keep investigating.. Thanks Sean On Wednesday, 25 November 2020 at 18:37:43 UTC Ray Bon wrote: > Sean, > > This looks like your clock is incorrect. > Use a tool like samltracer to see what is being passed. > > You do not want to have large lifetime windows on authentication > responses, to limit replay attacks. > > Ray > > On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > I have CAS 6.2 configured to authenticate against Azure AD, I have some > users that are getting an error: > > org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue > instant is too old or in the future > > It seems to be browser/PC dependent, if they try a different PC it is OK, > the assertion seems to be very old in some cases (months old). It only > seems to affect CAS based SAML logins though, authenticating against Azure > AD directly for O365 for example works as expected. > > I know I can workaround this by increasing the setting but does anyone > know why I would need to (I already have it set for about 3 months and need > to increase it further and I am guessing would have to do this again in the > future if I cannot find the cause. > > Thanks > > Sean > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ecc3f249-1f2b-4d7e-b12d-d0b8795b4269n%40apereo.org.
