You are viewing limited content. For full access, please sign in.

Question

Question

Okta NotOnOrfter condition is not satisfied

Directory Server Version 12 Self-Hosted
Updated December 4
asked on December 3 Show version history

Wondering if anyone out there that has worked with Okta has seen the following error. I am configuring a dev Okta account as a SAML idP in Directory Server. Everything was going great until I tried to authenticate. When I click the SAML login button on the LFDSSTS page I am taken to the Okta login page as expected and am able to authenticate, but after doing so I am taken to mydomain/LFDSSTS/SAML2/SSO and presented with this error:

{"ErrorCode":null,"ShowReturnLink":true,"Error":true,"Message":"The identity provider may not be configured correctly.  Contact your administrator: ID4148: The Saml2SecurityToken is rejected because the SAML2:Assertion\u0027s NotOnOrAfter condition is not satisfied.\nNotOnOrAfter: \u002712/4/2024 2:52:12 AM\u0027\nCurrent time: \u002712/4/2024 3:47:11 AM\u0027"}

From what I have gathered from searching the internet is that there is some kind of a time issue. I have verified that the time on my server is correct, so I'm not sure what else to check. Any help would be appreciated. I am using Directory Server 12.0.2410.65.

0 0

Replies

replied on December 4

It looks to me like an expired cert that Okta is using to encrypt the response.

replied on December 4

Well, it gives you the timestamps it's working with right in the error message:

NotOnOrAfter: 12/4/2024 2:52:12 AM
Current time: 12/4/2024 3:47:11 AM

That looks very suspiciously like a five-minute validity period where one of the servers/services is off by an hour to me. I don't know when you made that specific request so couldn't say which is right.

I'd take a look at the actual Okta SAML response "NotOnOrAfter" Condition property and sanity check it against a known valid time source (NIST etc.) to verify that Okta isn't sending out responses that are already invalid at time of issue.

0 0
replied on December 4

I created an app in Okta using the same Okta tenant and connected it to Laserfiche Cloud and it works as expected, so I don't believe it is an Okta issue. I'll keep testing.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...