KB-1901 SAML authentication results in 401 caused by "Message was rejected because it was issued in the future" errors

Parmida Borhani — Wed, 01 Jul 2020 05:36:36 GMT

Current Revision posted to Appian Knowledge Base by Parmida Borhani on 7/1/2020 5:36:36 AM

Symptoms

SAML authentication results in a 401 error for all users. The SAML authentication attempt is logged as FAILED in the <APPIAN_HOME>/logs/login-audit.csv file. However, Appian authentication works as expected.

There is a mismatch in the server time on SAML Identity Provider (IdP) server and the server hosting the Appian application server. The following error message is also observed in the application server log:

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

When the SAML Identity Provider authorizes the token, it is dated with the exact time and date when it was sent to Appian. When Appian receives this request, it rejects the token considering the request being sent in the past or the future depending on the mismatch of the server time.

Action

Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Tags: SAML, integration, 401, message rejected, authentication, issued in the future

KB-1901 SAML authentication results in 401 caused by "Message was rejected because it was issued in the future" errors

Parmida Borhani — Wed, 01 Jul 2020 05:35:52 GMT

Revision 14 posted to Appian Knowledge Base by Parmida Borhani on 7/1/2020 5:35:52 AM

Symptoms

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Tags: SAML, integration, 401, message rejected, authentication

KB-1901 SAML authentication results in 401 caused by "Message was rejected because it was issued in the future" errors

Parmida Borhani — Wed, 01 Jul 2020 05:33:42 GMT

Revision 13 posted to Appian Knowledge Base by Parmida Borhani on 7/1/2020 5:33:42 AM

Symptoms

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Tags: SAML, integration, 401, authentication

KB-1901 SAML authentication results in a 401 error due to wrong server time

Parmida Borhani — Thu, 04 Jun 2020 07:01:37 GMT

Revision 12 posted to Appian Knowledge Base by Parmida Borhani on 6/4/2020 7:01:37 AM

Symptoms

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process (IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Tags: SAML, integration, 401, authentication

KB-1901 SAML authentication results in a 401 error due to wrong server time

Parmida Borhani — Thu, 04 Jun 2020 07:01:17 GMT

Revision 11 posted to Appian Knowledge Base by Parmida Borhani on 6/4/2020 7:01:17 AM

Symptoms

ERROR com.appiancorp.security.auth.saml.SamlTestServlet - Error occurred during SAML authentication test: SAML Message context failed message handler check
com.appiancorp.security.auth.saml.exception.SecurityPolicyViolatedException: SAML Message context failed message handler check
...
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process(IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: June 2020

Tags: SAML, integration, 401, authentication

KB-1901 SAML authentication results in a 401 error due to wrong server time

Jordan Horwat — Thu, 28 Mar 2019 14:46:49 GMT

Revision 10 posted to Appian Knowledge Base by Jordan Horwat on 3/28/2019 2:46:49 PM

Symptoms

There is a mismatch in the server time on SAML Identity Provider (IdP) server and the server hosting the Appian application server.

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process(IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Tejas Kargutkar — Fri, 15 Mar 2019 09:55:59 GMT

Revision 9 posted to Appian Knowledge Base by Tejas Kargutkar on 3/15/2019 9:55:59 AM

Symptoms

There is a mismatch in the server time on IdP server and the server hosting the Appian application server.

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process(IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Tejas Kargutkar — Fri, 15 Mar 2019 09:55:15 GMT

Revision 8 posted to Appian Knowledge Base by Tejas Kargutkar on 3/15/2019 9:55:15 AM

Symptoms

There is a mismatch in the server time on IdP server and the server hosting Appian.

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process(IdP Server, Appian application server) are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Tejas Kargutkar — Fri, 15 Mar 2019 09:50:27 GMT

Revision 7 posted to Appian Knowledge Base by Tejas Kargutkar on 3/15/2019 9:50:27 AM

Symptoms

There is a mismatch in the server time on IdP server and the server hosting Appian.

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Jordan Horwat — Thu, 14 Mar 2019 16:00:38 GMT

Revision 6 posted to Appian Knowledge Base by Jordan Horwat on 3/14/2019 4:00:38 PM

Symptoms

Cause

This issue may occur when a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response. For example, there is a mismatch between the server time on IdP server and the server hosting Appian.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

SSO authentication results in a 401 due to wrong server time

Tejas Kargutkar — Fri, 08 Mar 2019 17:33:31 GMT

Revision 1 posted to Appian Knowledge Base by Tejas Kargutkar on 3/8/2019 5:33:31 PM

Symptoms

SAML authentication results in a 401 error for all users.

Appian authentication works as expected.

The authentication attempt in the <APPIAN_HOME>/logs/login-audit.csv is logged as FAILED.

Cause

SAML response has a timestamp associated with it. This issue may happen if a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

This has been observed in cases where server hosting the Appian application has the server time off by a minute or more.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Jordan Horwat — Fri, 08 Mar 2019 15:56:04 GMT

Revision 5 posted to Appian Knowledge Base by Jordan Horwat on 3/8/2019 3:56:04 PM

Symptoms

Cause

This issue may happen if a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

This has been observed in cases where server hosting the Appian application has the server time off by a minute or more.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SAML authentication results in a 401 error due to wrong server time

Tejas Kargutkar — Fri, 08 Mar 2019 12:42:25 GMT

Revision 4 posted to Appian Knowledge Base by Tejas Kargutkar on 3/8/2019 12:42:25 PM

Symptoms

SAML authentication results in a 401 error for all users.

Appian authentication works as expected.

The authentication attempt in the <APPIAN_HOME>/logs/login-audit.csv is logged as FAILED.

Cause

This issue may happen if a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

This has been observed in cases where server hosting the Appian application has the server time off by a minute or more.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

DRAFT KB-XXXX SSO authentication results in a 401 due to wrong server time

Tejas Kargutkar — Fri, 08 Mar 2019 12:39:38 GMT

Revision 3 posted to Appian Knowledge Base by Tejas Kargutkar on 3/8/2019 12:39:38 PM

Symptoms

SAML authentication results in a 401 error for all users.

Appian authentication works as expected.

The authentication attempt in the <APPIAN_HOME>/logs/login-audit.csv is logged as FAILED.

Cause

This issue may happen if a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

This has been observed in cases where server hosting the Appian application has the server time off by a minute or more.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication

SSO authentication results in a 401 due to wrong server time

Tejas Kargutkar — Fri, 08 Mar 2019 12:35:17 GMT

Revision 2 posted to Appian Knowledge Base by Tejas Kargutkar on 3/8/2019 12:35:17 PM

Symptoms

SAML authentication results in a 401 error for all users.

Appian authentication works as expected.

The authentication attempt in the <APPIAN_HOME>/logs/login-audit.csv is logged as FAILED.

Cause

This issue may happen if a wrong date or time is set on the servers involved in the authentication process, which will invalidate the SAML request/response.

This has been observed in cases where server hosting the Appian application has the server time off by a minute or more.

Action

Ensure that the servers involved in the authentication process are configured with the correct time.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: March 2019

Tags: SAML, integration, authentication