SAML authentication results in a 401 error for all users. The SAML authentication attempt is logged as FAILED in the <APPIAN_HOME>/logs/login-audit.csv file. However, Appian authentication works as expected.
There is a mismatch in the server time on SAML Identity Provider (IdP) server and the server hosting the Appian application server. The following error message is also observed in the application server log:
ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler checkcom.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check...Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future
This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.
When the SAML Identity Provider authorizes the token, it is dated with the exact time and date when it was sent to Appian. When Appian receives this request, it rejects the token considering the request being sent in the past or the future depending on the mismatch of the server time.
Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.
This article applies to all versions of Appian.
Last Reviewed: June 2020
© 2020 Appian. All rights reserved.