Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-20 Thread Jonathan Charles 
You know the rule, reboot three times.

On Fri, Sep 17, 2021 at 6:13 PM Lelio Fulgenzi  wrote:

>
> Hey, that’s great news! A reboot for a solution is inevitable possibility.
>
> Sent from my iPhone
>
> On Sep 17, 2021, at 6:22 PM, Jonathan Charles  wrote:
>
> 
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> ith...@uoguelph.ca
>
> So, it looks like we were sending our auth requests to an F5 which was
> sending the requests to two ADFS 2.0 servers... when they hit server 01,
> everything was fine... when they hit server 2, they would error out about
> 30% of the time (hence the infrequency)... we rebooted server 2 and so far
> all connections to server 2 are succeeding (not erroring out via SAML..
> )...
>
> We are monitoring but this appears to be just Windows being Windows.
>
>
> Jonathan
>
> On Fri, Sep 17, 2021 at 4:53 PM Lelio Fulgenzi  wrote:
>
>> Keep us updated on the outcome. This is a good learning experience for
>> all of us.
>>
>> Sent from my iPhone
>>
>> On Sep 17, 2021, at 3:18 PM, Jonathan Charles  wrote:
>>
>> 
>>
>> CAUTION: This email originated from outside of the University of Guelph.
>> Do not click links or open attachments unless you recognize the sender and
>> know the content is safe. If in doubt, forward suspicious emails to
>> ith...@uoguelph.ca
>>
>> Thanks, let me try it...
>>
>> On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski 
>> wrote:
>>
>>> Ask whoever runs the IDP to add a skew or offset to the relationship
>>> that you’re using.
>>>
>>>
>>>
>>> It is not feasible for the things to be exactly in sync to high
>>> precision at all times, and this comes up using timing from VMWare, mixed
>>> sources etc.
>>>
>>>
>>>
>>> With ADFS the property is NotBeforeSkew, which you can give a minute or
>>> whatever you’re comfortable with, which should alleviate this issue.
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Adam Pawlowski
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* cisco-voip  *On Behalf Of 
>>> *Jonathan
>>> Charles
>>> *Sent:* Friday, September 17, 2021 9:00 AM
>>> *To:* Kent Roberts 
>>> *Cc:* cisco-voip@puck.nether.net
>>> *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response
>>>
>>>
>>>
>>> The error message in the Cisco traces (SSO) is:
>>>
>>>
>>>
>>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>>> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15
>>> 22:07:44 UTC 2021   *-  this time is 17:07:44 CDT*
>>>
>>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>>> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44
>>> UTC 2021  *-  this time is 16:07:44 CDT*
>>>
>>>
>>>
>>> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
>>> authentication.SAMLAuthenticator - Error while processing saml response The
>>> time in the Assertion's Condition is invalid.
>>> com.sun.identity.saml2.common.SAML2Exception: The time in the
>>> Assertion's Condition is invalid.
>>>
>>>
>>>
>>> Basically what appears to be occurring is we get a NotBefore of 1 second
>>> after our request came in (16:07:43) and it gets killed
>>>
>>>
>>>
>>> The real question is what they need to do on the ADFS side to fix
>>> this... why are they sending us a time in the future? The argument is NTP
>>> is off by one second for one of the servers (all of them show synched)...
>>>
>>>
>>>
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:
>>>
>>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
>>> as knowing is this new or did it work.   Seems similar to what I have seen
>>> in UCCE with the packet stuff not signed or wrong encryption type… course
>>> thats UCCE vs CUCM,  but usually cucm just works…
>>>
>>>
>>>
>>>
>>>
>>> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
>>>
>>&

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Lelio Fulgenzi 

Hey, that’s great news! A reboot for a solution is inevitable possibility.

Sent from my iPhone

On Sep 17, 2021, at 6:22 PM, Jonathan Charles  wrote:



CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca


So, it looks like we were sending our auth requests to an F5 which was sending 
the requests to two ADFS 2.0 servers... when they hit server 01, everything was 
fine... when they hit server 2, they would error out about 30% of the time 
(hence the infrequency)... we rebooted server 2 and so far all connections to 
server 2 are succeeding (not erroring out via SAML.. )...

We are monitoring but this appears to be just Windows being Windows.


Jonathan

On Fri, Sep 17, 2021 at 4:53 PM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:
Keep us updated on the outcome. This is a good learning experience for all of 
us.

Sent from my iPhone

On Sep 17, 2021, at 3:18 PM, Jonathan Charles 
mailto:jonv...@gmail.com>> wrote:



CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca<mailto:ith...@uoguelph.ca>


Thanks, let me try it...

On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski 
mailto:aj...@buffalo.edu>> wrote:
Ask whoever runs the IDP to add a skew or offset to the relationship that 
you’re using.

It is not feasible for the things to be exactly in sync to high precision at 
all times, and this comes up using timing from VMWare, mixed sources etc.

With ADFS the property is NotBeforeSkew, which you can give a minute or 
whatever you’re comfortable with, which should alleviate this issue.

Best,

Adam Pawlowski



From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Jonathan Charles
Sent: Friday, September 17, 2021 9:00 AM
To: Kent Roberts mailto:k...@fredf.org>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Error Processing SAML Response

The error message in the Cisco traces (SSO) is:

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 
2021   -  this time is 17:07:44 CDT
2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 2021  
-  this time is 16:07:44 CDT

2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] 
authentication.SAMLAuthenticator - Error while processing saml response The 
time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's 
Condition is invalid.

Basically what appears to be occurring is we get a NotBefore of 1 second after 
our request came in (16:07:43) and it gets killed

The real question is what they need to do on the ADFS side to fix this... why 
are they sending us a time in the future? The argument is NTP is off by one 
second for one of the servers (all of them show synched)...


Jonathan

On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts 
mailto:k...@fredf.org>> wrote:
Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
knowing is this new or did it work.   Seems similar to what I have seen in UCCE 
with the packet stuff not signed or wrong encryption type… course thats UCCE vs 
CUCM,  but usually cucm just works…



On Sep 16, 2021, at 6:45 PM, Johnson, Tim 
mailto:johns...@cmich.edu>> wrote:

Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all 
areas of the web UI (I believe). The NTP errors that I’ve seen are presented as 
SAML assertion errors.

I’m curious if this is a new SSO config, or if it was working properly and 
something’s changed.

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Kent Roberts
Sent: Thursday, September 16, 2021 8:37 PM
To: Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: [External] Re: [cisco-voip] Error Processing SAML Response

Remember he said it also was happening on the CUCM Admin account which has 
nothing to do with SSO/SAML.   So means its most likely internal to cucm...

On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>> 
wrote:

The logs are pretty clear when its a time difference as the error. I’ve not 
seen it randomly occur but definitely the error will be it’s time and may even 
show the difference.

Its the 4j log file for sso I believe

Get Outlook for 
iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Jonathan Charles 
So, it looks like we were sending our auth requests to an F5 which was
sending the requests to two ADFS 2.0 servers... when they hit server 01,
everything was fine... when they hit server 2, they would error out about
30% of the time (hence the infrequency)... we rebooted server 2 and so far
all connections to server 2 are succeeding (not erroring out via SAML.. )...

We are monitoring but this appears to be just Windows being Windows.


Jonathan

On Fri, Sep 17, 2021 at 4:53 PM Lelio Fulgenzi  wrote:

> Keep us updated on the outcome. This is a good learning experience for all
> of us.
>
> Sent from my iPhone
>
> On Sep 17, 2021, at 3:18 PM, Jonathan Charles  wrote:
>
> 
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> ith...@uoguelph.ca
>
> Thanks, let me try it...
>
> On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski  wrote:
>
>> Ask whoever runs the IDP to add a skew or offset to the relationship that
>> you’re using.
>>
>>
>>
>> It is not feasible for the things to be exactly in sync to high precision
>> at all times, and this comes up using timing from VMWare, mixed sources etc.
>>
>>
>>
>> With ADFS the property is NotBeforeSkew, which you can give a minute or
>> whatever you’re comfortable with, which should alleviate this issue.
>>
>>
>>
>> Best,
>>
>>
>>
>> Adam Pawlowski
>>
>>
>>
>>
>>
>>
>>
>> *From:* cisco-voip  *On Behalf Of 
>> *Jonathan
>> Charles
>> *Sent:* Friday, September 17, 2021 9:00 AM
>> *To:* Kent Roberts 
>> *Cc:* cisco-voip@puck.nether.net
>> *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response
>>
>>
>>
>> The error message in the Cisco traces (SSO) is:
>>
>>
>>
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44
>> UTC 2021   *-  this time is 17:07:44 CDT*
>>
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
>> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44
>> UTC 2021  *-  this time is 16:07:44 CDT*
>>
>>
>>
>> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
>> authentication.SAMLAuthenticator - Error while processing saml response The
>> time in the Assertion's Condition is invalid.
>> com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's
>> Condition is invalid.
>>
>>
>>
>> Basically what appears to be occurring is we get a NotBefore of 1 second
>> after our request came in (16:07:43) and it gets killed
>>
>>
>>
>> The real question is what they need to do on the ADFS side to fix this...
>> why are they sending us a time in the future? The argument is NTP is off by
>> one second for one of the servers (all of them show synched)...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:
>>
>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
>> as knowing is this new or did it work.   Seems similar to what I have seen
>> in UCCE with the packet stuff not signed or wrong encryption type… course
>> thats UCCE vs CUCM,  but usually cucm just works…
>>
>>
>>
>>
>>
>> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
>>
>>
>>
>> Nah, looks like he said logging into CCM Admin pages, with AD accounts,
>> so all areas of the web UI (I believe). The NTP errors that I’ve seen are
>> presented as SAML assertion errors.
>>
>>
>>
>> I’m curious if this is a new SSO config, or if it was working properly
>> and something’s changed.
>>
>>
>>
>> *From:* cisco-voip  *On Behalf Of *Kent
>> Roberts
>> *Sent:* Thursday, September 16, 2021 8:37 PM
>> *To:* Matthew Loraditch 
>> *Cc:* cisco-voip@puck.nether.net
>> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>>
>>
>>
>> Remember he said it also was happening on the CUCM Admin account which
>> has nothing to do with SSO/SAML.   So means its most likely internal to
>> cucm...
>>
>>
>>
>> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
>> mloradi...@heliontechnologies.com> wrote:
>>
>>
>>
>> The logs a

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Lelio Fulgenzi 
Keep us updated on the outcome. This is a good learning experience for all of 
us.

Sent from my iPhone

On Sep 17, 2021, at 3:18 PM, Jonathan Charles  wrote:



CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca


Thanks, let me try it...

On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski 
mailto:aj...@buffalo.edu>> wrote:
Ask whoever runs the IDP to add a skew or offset to the relationship that 
you’re using.

It is not feasible for the things to be exactly in sync to high precision at 
all times, and this comes up using timing from VMWare, mixed sources etc.

With ADFS the property is NotBeforeSkew, which you can give a minute or 
whatever you’re comfortable with, which should alleviate this issue.

Best,

Adam Pawlowski



From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Jonathan Charles
Sent: Friday, September 17, 2021 9:00 AM
To: Kent Roberts mailto:k...@fredf.org>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [External] Error Processing SAML Response

The error message in the Cisco traces (SSO) is:

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 
2021   -  this time is 17:07:44 CDT
2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 2021  
-  this time is 16:07:44 CDT

2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] 
authentication.SAMLAuthenticator - Error while processing saml response The 
time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's 
Condition is invalid.

Basically what appears to be occurring is we get a NotBefore of 1 second after 
our request came in (16:07:43) and it gets killed

The real question is what they need to do on the ADFS side to fix this... why 
are they sending us a time in the future? The argument is NTP is off by one 
second for one of the servers (all of them show synched)...


Jonathan

On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts 
mailto:k...@fredf.org>> wrote:
Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
knowing is this new or did it work.   Seems similar to what I have seen in UCCE 
with the packet stuff not signed or wrong encryption type… course thats UCCE vs 
CUCM,  but usually cucm just works…



On Sep 16, 2021, at 6:45 PM, Johnson, Tim 
mailto:johns...@cmich.edu>> wrote:

Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all 
areas of the web UI (I believe). The NTP errors that I’ve seen are presented as 
SAML assertion errors.

I’m curious if this is a new SSO config, or if it was working properly and 
something’s changed.

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Kent Roberts
Sent: Thursday, September 16, 2021 8:37 PM
To: Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: [External] Re: [cisco-voip] Error Processing SAML Response

Remember he said it also was happening on the CUCM Admin account which has 
nothing to do with SSO/SAML.   So means its most likely internal to cucm...

On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>> 
wrote:

The logs are pretty clear when its a time difference as the error. I’ve not 
seen it randomly occur but definitely the error will be it’s time and may even 
show the difference.

Its the 4j log file for sso I believe

Get Outlook for 
iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D=0>

Matthew Loraditch​
Sr. Network Engineer
(He/Him/His)
p: 443.541.1518
w: 
www.heliontechnologies.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D=0>
 |
e: mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d97

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Jonathan Charles 
Thanks, let me try it...

On Fri, Sep 17, 2021 at 10:23 AM Adam Pawlowski  wrote:

> Ask whoever runs the IDP to add a skew or offset to the relationship that
> you’re using.
>
>
>
> It is not feasible for the things to be exactly in sync to high precision
> at all times, and this comes up using timing from VMWare, mixed sources etc.
>
>
>
> With ADFS the property is NotBeforeSkew, which you can give a minute or
> whatever you’re comfortable with, which should alleviate this issue.
>
>
>
> Best,
>
>
>
> Adam Pawlowski
>
>
>
>
>
>
>
> *From:* cisco-voip  *On Behalf Of 
> *Jonathan
> Charles
> *Sent:* Friday, September 17, 2021 9:00 AM
> *To:* Kent Roberts 
> *Cc:* cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] [External] Error Processing SAML Response
>
>
>
> The error message in the Cisco traces (SSO) is:
>
>
>
> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44
> UTC 2021   *-  this time is 17:07:44 CDT*
>
> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC
> 2021  *-  this time is 16:07:44 CDT*
>
>
>
> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
> authentication.SAMLAuthenticator - Error while processing saml response The
> time in the Assertion's Condition is invalid.
> com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's
> Condition is invalid.
>
>
>
> Basically what appears to be occurring is we get a NotBefore of 1 second
> after our request came in (16:07:43) and it gets killed
>
>
>
> The real question is what they need to do on the ADFS side to fix this...
> why are they sending us a time in the future? The argument is NTP is off by
> one second for one of the servers (all of them show synched)...
>
>
>
>
>
> Jonathan
>
>
>
> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:
>
> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
> as knowing is this new or did it work.   Seems similar to what I have seen
> in UCCE with the packet stuff not signed or wrong encryption type… course
> thats UCCE vs CUCM,  but usually cucm just works…
>
>
>
>
>
> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
>
>
>
> Nah, looks like he said logging into CCM Admin pages, with AD accounts, so
> all areas of the web UI (I believe). The NTP errors that I’ve seen are
> presented as SAML assertion errors.
>
>
>
> I’m curious if this is a new SSO config, or if it was working properly and
> something’s changed.
>
>
>
> *From:* cisco-voip  *On Behalf Of *Kent
> Roberts
> *Sent:* Thursday, September 16, 2021 8:37 PM
> *To:* Matthew Loraditch 
> *Cc:* cisco-voip@puck.nether.net
> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>
>
>
> Remember he said it also was happening on the CUCM Admin account which has
> nothing to do with SSO/SAML.   So means its most likely internal to cucm...
>
>
>
> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
> mloradi...@heliontechnologies.com> wrote:
>
>
>
> The logs are pretty clear when its a time difference as the error. I’ve
> not seen it randomly occur but definitely the error will be it’s time and
> may even show the difference.
>
>
>
> Its the 4j log file for sso I believe
>
>
>
> Get Outlook for iOS
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D=0>
>
>
>
> *Matthew Loraditch**​*
>
> *Sr. Network Engineer*
>
> *(He/Him/His)*
>
> p: *443.541.1518* <443.541.1518>
>
> w: *www.heliontechnologies.com*
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D=0>
>
>  |
>
> e: *mloradi...@heliontechnologies.com* 
>
> 
> <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Adam Pawlowski 
Ask whoever runs the IDP to add a skew or offset to the relationship that 
you’re using.

It is not feasible for the things to be exactly in sync to high precision at 
all times, and this comes up using timing from VMWare, mixed sources etc.

With ADFS the property is NotBeforeSkew, which you can give a minute or 
whatever you’re comfortable with, which should alleviate this issue.

Best,

Adam Pawlowski



From: cisco-voip  On Behalf Of Jonathan 
Charles
Sent: Friday, September 17, 2021 9:00 AM
To: Kent Roberts 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Error Processing SAML Response

The error message in the Cisco traces (SSO) is:

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 
2021   -  this time is 17:07:44 CDT
2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 2021  
-  this time is 16:07:44 CDT

2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] 
authentication.SAMLAuthenticator - Error while processing saml response The 
time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's 
Condition is invalid.

Basically what appears to be occurring is we get a NotBefore of 1 second after 
our request came in (16:07:43) and it gets killed

The real question is what they need to do on the ADFS side to fix this... why 
are they sending us a time in the future? The argument is NTP is off by one 
second for one of the servers (all of them show synched)...


Jonathan

On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts 
mailto:k...@fredf.org>> wrote:
Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
knowing is this new or did it work.   Seems similar to what I have seen in UCCE 
with the packet stuff not signed or wrong encryption type… course thats UCCE vs 
CUCM,  but usually cucm just works…



On Sep 16, 2021, at 6:45 PM, Johnson, Tim 
mailto:johns...@cmich.edu>> wrote:

Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all 
areas of the web UI (I believe). The NTP errors that I’ve seen are presented as 
SAML assertion errors.

I’m curious if this is a new SSO config, or if it was working properly and 
something’s changed.

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Kent Roberts
Sent: Thursday, September 16, 2021 8:37 PM
To: Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: [External] Re: [cisco-voip] Error Processing SAML Response

Remember he said it also was happening on the CUCM Admin account which has 
nothing to do with SSO/SAML.   So means its most likely internal to cucm...

On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>> 
wrote:

The logs are pretty clear when its a time difference as the error. I’ve not 
seen it randomly occur but definitely the error will be it’s time and may even 
show the difference.

Its the 4j log file for sso I believe

Get Outlook for 
iOS<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441778209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=zpq5%2Fs6ztI5P7iDfkQxw4L9aC0M7j2PwPBjL19PE16s%3D=0>

Matthew Loraditch​
Sr. Network Engineer
(He/Him/His)
p: 443.541.1518
w: 
www.heliontechnologies.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441788204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=qL4mHsUJu%2FhP8PN9bOmdi9hVrTDOTg%2FNwzN%2FMWCAmE0%3D=0>
 |
e: mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=CdLKOTY3ZcCR9womF6wlOY6Im8RHC9Na6NkKQvLKjnk%3D=0>
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fheliontech=04%7C01%7Cajp26%40buffalo.edu%7C1963a460d0994b71bb6f08d979db7c94%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637674806441798200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=fatJj8XLG3VtCaEsjQ1W63TsC3bg%2BqxK0Y%2FoSis459A%3D=0>
<https://nam12.safelinks.prote

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Gentoo 
Is one system observing Daylight Savings Time and the other is not?

> On Sep 17, 2021, at 08:14, Jonathan Charles  wrote:
> 
> 
> Here is another one that failed... but the timestamp is not off... 
> 
> 2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger - 
> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:06:26 UTC 
> 2021
> 
> 2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger - 
> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:06:26 UTC 2021
> 
> 2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger - 
> SAML2Utils.checkConditions: The assertion does not meet NotOnOrAfter or 
> NotBefore condition.
> 
>  
> 
>> On Fri, Sep 17, 2021 at 8:00 AM Jonathan Charles  wrote:
>> The error message in the Cisco traces (SSO) is:
>> 
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
>> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 
>> 2021   -  this time is 17:07:44 CDT
>> 
>> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
>> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 
>> 2021  -  this time is 16:07:44 CDT
>> 
>> 
>> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] 
>> authentication.SAMLAuthenticator - Error while processing saml response The 
>> time in the Assertion's Condition is invalid.
>> com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's 
>> Condition is invalid.
>> 
>> Basically what appears to be occurring is we get a NotBefore of 1 second 
>> after our request came in (16:07:43) and it gets killed
>> 
>> The real question is what they need to do on the ADFS side to fix this... 
>> why are they sending us a time in the future? The argument is NTP is off by 
>> one second for one of the servers (all of them show synched)...
>> 
>> 
>> Jonathan
>> 
>>> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:
>>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
>>> knowing is this new or did it work.   Seems similar to what I have seen in 
>>> UCCE with the packet stuff not signed or wrong encryption type… course 
>>> thats UCCE vs CUCM,  but usually cucm just works…
>>> 
>>> 
 On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
 
 Nah, looks like he said logging into CCM Admin pages, with AD accounts, so 
 all areas of the web UI (I believe). The NTP errors that I’ve seen are 
 presented as SAML assertion errors.
  
 I’m curious if this is a new SSO config, or if it was working properly and 
 something’s changed.
  
 From: cisco-voip  On Behalf Of Kent 
 Roberts
 Sent: Thursday, September 16, 2021 8:37 PM
 To: Matthew Loraditch 
 Cc: cisco-voip@puck.nether.net
 Subject: [External] Re: [cisco-voip] Error Processing SAML Response
  
 Remember he said it also was happening on the CUCM Admin account which has 
 nothing to do with SSO/SAML.   So means its most likely internal to cucm...
 
 
 On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
  wrote:
  
 The logs are pretty clear when its a time difference as the error. I’ve 
 not seen it randomly occur but definitely the error will be it’s time and 
 may even show the difference. 
  
 Its the 4j log file for sso I believe 
  
 Get Outlook for iOS
  
 Matthew Loraditch​
 Sr. Network Engineer
 (He/Him/His)
 p: 443.541.1518
 w: www.heliontechnologies.com
  | 
 e: mloradi...@heliontechnologies.com
 
 
 
 
 From: cisco-voip  on behalf of Lelio 
 Fulgenzi 
 Sent: Thursday, September 16, 2021 4:32:12 PM
 To: Jonathan Charles ; Benjamin Turner 
 
 Cc: cisco-voip@puck.nether.net 
 Subject: Re: [cisco-voip] Error Processing SAML Response
  
  
 [EXTERNAL]
  
  
 Have you been able to confirm the time difference?
  
 I’m not trying to take their side of things, but if it’s minutes off, I 
 wouldn’t doubt that’s possible. SSO is highly secure, right? A time 
 difference might be enough to throw it off?
  
 Here’s  reference:
  
 https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
  
  
  
 From: cisco-voip  On Behalf Of 
 Jonathan Charles
 Sent: Thursday, September 16, 2021 6:23 PM
 To: Benjamin Turner 
 Cc: cisco-voip@puck.nether.net
 Subject: Re: [cisco-voip] Error Processing SAML Response
  
 CAUTION: This email originated from outside of the University of Guelph. 
 Do not click links or open attachments unless you recognize the sender and 
 know the content is safe. If in doubt, forward suspicious emails to 
 ith...@uoguelph.ca
  
 No... TBH, I have never heard of it...
  
 TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Jonathan Charles 
Here is another one that failed... but the timestamp is not off...

2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger -
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:06:26
UTC 2021

2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger -
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:06:26 UTC
2021

2021-09-15 16:06:26,226 DEBUG [http-nio-81-exec-4] fappend.SamlLogger -
SAML2Utils.checkConditions: The assertion does not meet NotOnOrAfter or
NotBefore condition.



On Fri, Sep 17, 2021 at 8:00 AM Jonathan Charles  wrote:

> The error message in the Cisco traces (SSO) is:
>
> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
> SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44
> UTC 2021   *-  this time is 17:07:44 CDT*
>
> 2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
> SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC
> 2021  *-  this time is 16:07:44 CDT*
>
> 2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
> authentication.SAMLAuthenticator - Error while processing saml response The
> time in the Assertion's Condition is invalid.
> com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's
> Condition is invalid.
>
> Basically what appears to be occurring is we get a NotBefore of 1 second
> after our request came in (16:07:43) and it gets killed
>
> The real question is what they need to do on the ADFS side to fix this...
> why are they sending us a time in the future? The argument is NTP is off by
> one second for one of the servers (all of them show synched)...
>
>
> Jonathan
>
> On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:
>
>> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
>> as knowing is this new or did it work.   Seems similar to what I have seen
>> in UCCE with the packet stuff not signed or wrong encryption type… course
>> thats UCCE vs CUCM,  but usually cucm just works…
>>
>>
>> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
>>
>> Nah, looks like he said logging into CCM Admin pages, with AD accounts,
>> so all areas of the web UI (I believe). The NTP errors that I’ve seen are
>> presented as SAML assertion errors.
>>
>> I’m curious if this is a new SSO config, or if it was working properly
>> and something’s changed.
>>
>> *From:* cisco-voip  *On Behalf Of *Kent
>> Roberts
>> *Sent:* Thursday, September 16, 2021 8:37 PM
>> *To:* Matthew Loraditch 
>> *Cc:* cisco-voip@puck.nether.net
>> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>>
>> Remember he said it also was happening on the CUCM Admin account which
>> has nothing to do with SSO/SAML.   So means its most likely internal to
>> cucm...
>>
>>
>> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
>> mloradi...@heliontechnologies.com> wrote:
>>
>> The logs are pretty clear when its a time difference as the error. I’ve
>> not seen it randomly occur but definitely the error will be it’s time and
>> may even show the difference.
>>
>> Its the 4j log file for sso I believe
>>
>> Get Outlook for iOS 
>>
>> *Matthew Loraditch**​*
>> *Sr. Network Engineer*
>> *(He/Him/His)*
>> p: *443.541.1518* <443.541.1518>
>> w: *www.heliontechnologies.com* 
>>  |
>> e: *mloradi...@heliontechnologies.com*
>> 
>>  
>>  
>>  
>>  
>> --
>> *From:* cisco-voip  on behalf of
>> Lelio Fulgenzi 
>> *Sent:* Thursday, September 16, 2021 4:32:12 PM
>> *To:* Jonathan Charles ; Benjamin Turner <
>> benmtur...@hotmail.com>
>> *Cc:* cisco-voip@puck.nether.net 
>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>
>>
>> [EXTERNAL]
>>
>>
>> Have you been able to confirm the time difference?
>>
>> I’m not trying to take their side of things, but if it’s minutes off, I
>> wouldn’t doubt that’s possible. SSO is highly secure, right? A time
>> difference might be enough to throw it off?
>>
>> Here’s  reference:
>>
>>
>> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>>
>>
>>
>> *From:* cisco-voip  *On Behalf Of 
>> *Jonathan
>> Charles
>> *Sent:* Thursday, September 16, 2021 6:23 PM
>> *To:* Benjamin Turner 
>> *Cc:* cisco-voip@puck.nether.net
>> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>>
>> *CAUTION:* This email originated from outside of the University of
>> Guelph. Do not click links or open attachments unless you recognize the
>> sender and know the content is safe. If in doubt, forward suspicious emails
>> to ith...@uoguelph.ca
>>
>> No... TBH, I have never heard of it...
>>
>> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC
>> and ADFS...
>>
>>
>> Jonathan
>>
>> On Thu, Sep 16, 2021

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Johnson, Tim 
Just for the sake of sanity, all servers are using the same NTP server(s)? And 
if needed, before adjusting NTP, just remember that changing it can alter 
license MAC.

From: Jonathan Charles 
Sent: Friday, September 17, 2021 9:00 AM
To: Kent Roberts 
Cc: Johnson, Tim ; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Error Processing SAML Response

The error message in the Cisco traces (SSO) is:

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44 UTC 
2021   -  this time is 17:07:44 CDT
2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger - 
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC 2021  
-  this time is 16:07:44 CDT

2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10] 
authentication.SAMLAuthenticator - Error while processing saml response The 
time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's 
Condition is invalid.

Basically what appears to be occurring is we get a NotBefore of 1 second after 
our request came in (16:07:43) and it gets killed

The real question is what they need to do on the ADFS side to fix this... why 
are they sending us a time in the future? The argument is NTP is off by one 
second for one of the servers (all of them show synched)...


Jonathan

On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts 
mailto:k...@fredf.org>> wrote:
Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
knowing is this new or did it work.   Seems similar to what I have seen in UCCE 
with the packet stuff not signed or wrong encryption type… course thats UCCE vs 
CUCM,  but usually cucm just works…



On Sep 16, 2021, at 6:45 PM, Johnson, Tim 
mailto:johns...@cmich.edu>> wrote:

Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all 
areas of the web UI (I believe). The NTP errors that I’ve seen are presented as 
SAML assertion errors.

I’m curious if this is a new SSO config, or if it was working properly and 
something’s changed.

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Kent Roberts
Sent: Thursday, September 16, 2021 8:37 PM
To: Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: [External] Re: [cisco-voip] Error Processing SAML Response

Remember he said it also was happening on the CUCM Admin account which has 
nothing to do with SSO/SAML.   So means its most likely internal to cucm...

On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>> 
wrote:

The logs are pretty clear when its a time difference as the error. I’ve not 
seen it randomly occur but definitely the error will be it’s time and may even 
show the difference.

Its the 4j log file for sso I believe

Get Outlook for iOS<https://aka.ms/o0ukef>

Matthew Loraditch​
Sr. Network Engineer
(He/Him/His)
p: 443.541.1518
w: www.heliontechnologies.com<http://www.heliontechnologies.com/>
 |
e: mloradi...@heliontechnologies.com<mailto:mloradi...@heliontechnologies.com>
<http://www.heliontechnologies.com/>
<https://facebook.com/heliontech>
<https://twitter.com/heliontech>
<https://www.linkedin.com/company/helion-technologies>

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
on behalf of Lelio Fulgenzi mailto:le...@uoguelph.ca>>
Sent: Thursday, September 16, 2021 4:32:12 PM
To: Jonathan Charles mailto:jonv...@gmail.com>>; Benjamin 
Turner mailto:benmtur...@hotmail.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> 
mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] Error Processing SAML Response


[EXTERNAL]


Have you been able to confirm the time difference?

I’m not trying to take their side of things, but if it’s minutes off, I 
wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference 
might be enough to throw it off?

Here’s  reference:

https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907



From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Jonathan Charles
Sent: Thursday, September 16, 2021 6:23 PM
To: Benjamin Turner mailto:benmtur...@hotmail.com>>
Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] Error Processing SAML Response

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca<mailto:ith...@uoguelph.ca>

No... TBH, I have never heard of it...

TAC is hyper-asserting that the issue

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-17 Thread Jonathan Charles 
The error message in the Cisco traces (SSO) is:

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
SAML2Utils.checkConditions: NotOnOrAfter Condition = Wed Sep 15 22:07:44
UTC 2021   *-  this time is 17:07:44 CDT*

2021-09-15 16:07:43,791 DEBUG [http-nio-81-exec-22] fappend.SamlLogger -
SAML2Utils.checkConditions: NotBefore Condition = Wed Sep 15 21:07:44 UTC
2021  *-  this time is 16:07:44 CDT*

2021-09-15 15:25:10,642 ERROR [http-nio-81-exec-10]
authentication.SAMLAuthenticator - Error while processing saml response The
time in the Assertion's Condition is invalid.
com.sun.identity.saml2.common.SAML2Exception: The time in the Assertion's
Condition is invalid.

Basically what appears to be occurring is we get a NotBefore of 1 second
after our request came in (16:07:43) and it gets killed

The real question is what they need to do on the ADFS side to fix this...
why are they sending us a time in the future? The argument is NTP is off by
one second for one of the servers (all of them show synched)...


Jonathan

On Thu, Sep 16, 2021 at 8:29 PM Kent Roberts  wrote:

> Oh, ok if I mis-understood then, yes a SAML trace would be good, as well
> as knowing is this new or did it work.   Seems similar to what I have seen
> in UCCE with the packet stuff not signed or wrong encryption type… course
> thats UCCE vs CUCM,  but usually cucm just works…
>
>
> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
>
> Nah, looks like he said logging into CCM Admin pages, with AD accounts, so
> all areas of the web UI (I believe). The NTP errors that I’ve seen are
> presented as SAML assertion errors.
>
> I’m curious if this is a new SSO config, or if it was working properly and
> something’s changed.
>
> *From:* cisco-voip  *On Behalf Of *Kent
> Roberts
> *Sent:* Thursday, September 16, 2021 8:37 PM
> *To:* Matthew Loraditch 
> *Cc:* cisco-voip@puck.nether.net
> *Subject:* [External] Re: [cisco-voip] Error Processing SAML Response
>
> Remember he said it also was happening on the CUCM Admin account which has
> nothing to do with SSO/SAML.   So means its most likely internal to cucm...
>
>
> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <
> mloradi...@heliontechnologies.com> wrote:
>
> The logs are pretty clear when its a time difference as the error. I’ve
> not seen it randomly occur but definitely the error will be it’s time and
> may even show the difference.
>
> Its the 4j log file for sso I believe
>
> Get Outlook for iOS 
>
> *Matthew Loraditch**​*
> *Sr. Network Engineer*
> *(He/Him/His)*
> p: *443.541.1518* <443.541.1518>
> w: *www.heliontechnologies.com* 
>  |
> e: *mloradi...@heliontechnologies.com* 
>  
>  
>  
>  
> --
> *From:* cisco-voip  on behalf of
> Lelio Fulgenzi 
> *Sent:* Thursday, September 16, 2021 4:32:12 PM
> *To:* Jonathan Charles ; Benjamin Turner <
> benmtur...@hotmail.com>
> *Cc:* cisco-voip@puck.nether.net 
> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>
>
> [EXTERNAL]
>
>
> Have you been able to confirm the time difference?
>
> I’m not trying to take their side of things, but if it’s minutes off, I
> wouldn’t doubt that’s possible. SSO is highly secure, right? A time
> difference might be enough to throw it off?
>
> Here’s  reference:
>
>
> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>
>
>
> *From:* cisco-voip  *On Behalf Of 
> *Jonathan
> Charles
> *Sent:* Thursday, September 16, 2021 6:23 PM
> *To:* Benjamin Turner 
> *Cc:* cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Error Processing SAML Response
>
> *CAUTION:* This email originated from outside of the University of
> Guelph. Do not click links or open attachments unless you recognize the
> sender and know the content is safe. If in doubt, forward suspicious emails
> to ith...@uoguelph.ca
>
> No... TBH, I have never heard of it...
>
> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC
> and ADFS...
>
>
> Jonathan
>
> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner 
> wrote:
>
> Have you tried to run a SAML Tracer?
>
> Sincerely,
> Benjamin M. Turner
> --
> *From:* cisco-voip  on behalf of
> Jonathan Charles 
> *Sent:* Thursday, September 16, 2021 4:56:48 PM
> *To:* cisco-voip@puck.nether.net 
> *Subject:* [cisco-voip] Error Processing SAML Response
>
> So, users are randomly getting the above error when logging into CUCM
> UCMUser or CUC Inbox... we are also getting it using AD credentials into
> admin pages for CUCM/CUC/etc.
>
> For a user, it will work find repeatedly, then you will get the error,
> close your browser, and reopen, still get the error for a few minutes. Then
> later it will work. When a user is affected, other users work fine.
>

Re: [cisco-voip] [External] Error Processing SAML Response

2021-09-16 Thread Kent Roberts 
Oh, ok if I mis-understood then, yes a SAML trace would be good, as well as 
knowing is this new or did it work.   Seems similar to what I have seen in UCCE 
with the packet stuff not signed or wrong encryption type… course thats UCCE vs 
CUCM,  but usually cucm just works…


> On Sep 16, 2021, at 6:45 PM, Johnson, Tim  wrote:
> 
> Nah, looks like he said logging into CCM Admin pages, with AD accounts, so 
> all areas of the web UI (I believe). The NTP errors that I’ve seen are 
> presented as SAML assertion errors.
>  
> I’m curious if this is a new SSO config, or if it was working properly and 
> something’s changed.
>  
> From: cisco-voip  > On Behalf Of Kent Roberts
> Sent: Thursday, September 16, 2021 8:37 PM
> To: Matthew Loraditch  >
> Cc: cisco-voip@puck.nether.net 
> Subject: [External] Re: [cisco-voip] Error Processing SAML Response
>  
> Remember he said it also was happening on the CUCM Admin account which has 
> nothing to do with SSO/SAML.   So means its most likely internal to cucm...
> 
> 
> On Sep 16, 2021, at 4:36 PM, Matthew Loraditch 
>  > wrote:
>  
> The logs are pretty clear when its a time difference as the error. I’ve not 
> seen it randomly occur but definitely the error will be it’s time and may 
> even show the difference. 
>  
> Its the 4j log file for sso I believe 
>  
> Get Outlook for iOS 
>  
> Matthew Loraditch​
> Sr. Network Engineer
> (He/Him/His)
> p: 443.541.1518 
> w: www.heliontechnologies.com 
>  | 
> e: mloradi...@heliontechnologies.com 
> 
>  
>     
>  
>  
> From: cisco-voip  > on behalf of Lelio Fulgenzi 
> mailto:le...@uoguelph.ca>>
> Sent: Thursday, September 16, 2021 4:32:12 PM
> To: Jonathan Charles mailto:jonv...@gmail.com>>; Benjamin 
> Turner mailto:benmtur...@hotmail.com>>
> Cc: cisco-voip@puck.nether.net  
> mailto:cisco-voip@puck.nether.net>>
> Subject: Re: [cisco-voip] Error Processing SAML Response
>  
>  
> [EXTERNAL]
>  
>  
> Have you been able to confirm the time difference?
>  
> I’m not trying to take their side of things, but if it’s minutes off, I 
> wouldn’t doubt that’s possible. SSO is highly secure, right? A time 
> difference might be enough to throw it off?
>  
> Here’s  reference:
>  
> https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
>  
> 
>  
>  
>  
> From: cisco-voip  > On Behalf Of Jonathan Charles
> Sent: Thursday, September 16, 2021 6:23 PM
> To: Benjamin Turner mailto:benmtur...@hotmail.com>>
> Cc: cisco-voip@puck.nether.net 
> Subject: Re: [cisco-voip] Error Processing SAML Response
>  
> CAUTION: This email originated from outside of the University of Guelph. Do 
> not click links or open attachments unless you recognize the sender and know 
> the content is safe. If in doubt, forward suspicious emails to 
> ith...@uoguelph.ca 
>  
> No... TBH, I have never heard of it...
>  
> TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and 
> ADFS... 
>  
>  
> Jonathan
>  
> On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner  > wrote:
> Have you tried to run a SAML Tracer? 
>  
> Sincerely,
> Benjamin M. Turner
> From: cisco-voip  > on behalf of Jonathan Charles 
> mailto:jonv...@gmail.com>>
> Sent: Thursday, September 16, 2021 4:56:48 PM
> To: cisco-voip@puck.nether.net  
> mailto:cisco-voip@puck.nether.net>>
> Subject: [cisco-voip] Error Processing SAML Response
>  
> So, users are randomly getting the above error when logging into CUCM UCMUser 
> or CUC Inbox... we are also getting it using AD credentials into admin pages 
> for CUCM/CUC/etc.
>  
> For a user, it will work find repeatedly, then you will get the error, close 
> your browser, and reopen, still get the error for a few minutes. Then later 
> it will work. When a user is affected, other users work fine.
>  
> TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP 
> (ADFS 2.0) is fine.
>  
> Pings are around 1ms between servers.
>  
> Any ideas?
>  
>  
> Jonathan
>  
>  
>  
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-voip 
>