Thanks Misagh,
Created an issue for it on github: https://github.com/Jasig/cas/issues/1266

---
Abhijit Gaikwad
Applications Programmer | agaik...@fit.edu<mailto:agaik...@fit.edu>

From: Misagh Moayyed [mailto:mmoay...@unicon.net]
Sent: Monday, November 09, 2015 12:33 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS 4.1.1 Google Apps SAML issue

Looks like there is a skewAllowance setting for SAML1 but not for SAML2. Do 
file an issue please.

From: Abhijit Gaikwad [mailto:agaik...@fit.edu]
Sent: Monday, November 9, 2015 9:31 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: [cas-user] CAS 4.1.1 Google Apps SAML issue

Hello,
We are working on deploying CAS 4.1.1 to production and were trying to get 
google apps for education SSO to work. Unfortunately I get a "Google Apps - 
This service cannot be accessed because your login credentials have expired. 
Please log in and try again." Error from google. Looking around it seemed to be 
an issue with clocks set on servers, but I have confirmed the clock and ntp is 
configured correctly on the server.

Looking at the saml response I noticed 
"NotOnOrAfter="2015-11-09T09:59:14.000Z"" is set to the current time. Which if 
I understand correctly means by the time it makes it to google a second has 
passed and the credentials have expired.

We have CAS 3.5.x in production and working and looking at the saml response 
from it "NotOnOrAfter="2016-11-09T10:03:00Z"" the date is set to 1 year ahead 
so the credentials don't expire by the time it makes it to google's servers.

(The date

I was able to confirm both of these behavious in code:
4.1.x: 
https://github.com/Jasig/cas/blob/master/cas-server-support-saml-googleapps/src/main/java/org/jasig/cas/support/saml/authentication/principal/GoogleAccountsServiceResponseBuilder.java#L97

3.5.x: 
https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java#L178

Looking at the forums it seems appears the above configuration is working for 
people, although I don't see how it would if NotOnOrAfter is set to a time 1 
second is the past. Am I missing something here?

Any guidance will be highly appreciated.

Thanks,
---
Abhijit Gaikwad
Applications Programmer | agaik...@fit.edu<mailto:agaik...@fit.edu>




--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
mmoay...@unicon.net<mailto:mmoay...@unicon.net>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
agaik...@fit.edu<mailto:agaik...@fit.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to