The community will undergo maintenance on October 16th at 10:00 PM PDT and will be unavailable for up to one hour.
I am using ThingWorx Platform Release 9.3 and DatecodeSP5
We are getting authentication errors intermittently on Edge and Chrome browsers with SAML. This happened over the weekend after a year or more of successful SAML authentication in those browsers. We resolved the issue by increasing the value for "samlAssertionMaxAuthenticationAge" in the sso-settings.json file but still don't understand why the issue started. Can you provide help with understanding what caused this issue to help prevent it in the future?
Here are the errors that I faced
[ Error validating SAML message ][ Response doesn't have any valid assertion which would pass subject validation ][ Authentication statement is too old to be used with value
Solved! Go to Solution.
Hi @joetenny,
Once a user signs in to IDP, usually you can keep that user signed in. so that when the user login to other applications connected to the same IDP, it is not necessary to re-enter the user credentials -- the benefits of Single Sign On
In other words, as long as the user is logged in IDP, the same user (session remembers that user) doesn't have to authenticate again to access ThingWorx.
It's a good thing for users as it saves time and effort but it also exposes some security concerns as we assume it's the same user and not challenging the user identity when they access the application the second time onwards -- it's probably more secure to let users authenticate again after some passes. (a balance between convenience and security)
In the SAML response sent from IDP to SP, there's an attribute called AuthnInstant that indicates the time at which the user authenticated, check out below link for more information.
ThingWorx will check this value AuthnInstant in the response against the samlAssertionMaxAuthenticationAge in sso-settings.json to decide whether the authentication is too old or acceptable.
If the IDP authentication happened long time ago, older than the configured setting, this error will occur suggesting the user to logout from IDP and authenticate himself/herself again.
Hope that clarifies.
Articles:
Hi @joetenny,
Once a user signs in to IDP, usually you can keep that user signed in. so that when the user login to other applications connected to the same IDP, it is not necessary to re-enter the user credentials -- the benefits of Single Sign On
In other words, as long as the user is logged in IDP, the same user (session remembers that user) doesn't have to authenticate again to access ThingWorx.
It's a good thing for users as it saves time and effort but it also exposes some security concerns as we assume it's the same user and not challenging the user identity when they access the application the second time onwards -- it's probably more secure to let users authenticate again after some passes. (a balance between convenience and security)
In the SAML response sent from IDP to SP, there's an attribute called AuthnInstant that indicates the time at which the user authenticated, check out below link for more information.
ThingWorx will check this value AuthnInstant in the response against the samlAssertionMaxAuthenticationAge in sso-settings.json to decide whether the authentication is too old or acceptable.
If the IDP authentication happened long time ago, older than the configured setting, this error will occur suggesting the user to logout from IDP and authenticate himself/herself again.
Hope that clarifies.