KB-1901 SAML authentication results in 401 caused by "Message was rejected because it was issued in the future" errors

Symptoms

SAML authentication results in a 401 error for all users. The SAML authentication attempt is logged as FAILED in the <APPIAN_HOME>/logs/login-audit.csv file. However, Appian authentication works as expected.

There is a mismatch in the server time on SAML Identity Provider (IdP) server and the server hosting the Appian application server. The following error message is also observed in the application server log:

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

When the SAML Identity Provider authorizes the token, it is dated with the exact time and date when it was sent to Appian. When Appian receives this request, it rejects the token considering the request being sent in the past or the future depending on the mismatch of the server time.

Action

Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Related
Recommended