cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

SAML Authentication Errors

Go to solution
joetenny
5-Regular Member
5-Regular Member
‎Aug 28, 2024 02:20 PM
‎Aug 28, 2024 02:20 PM

SAML Authentication Errors

I am using ThingWorx Platform Release 9.3 and DatecodeSP5

We are getting authentication errors intermittently on Edge and Chrome browsers with SAML. This happened over the weekend after a year or more of successful SAML authentication in those browsers. We resolved the issue by increasing the value for "samlAssertionMaxAuthenticationAge" in the sso-settings.json file but still don't understand why the issue started. Can you provide help with understanding what caused this issue to help prevent it in the future?

Here are the errors that I faced
[ Error validating SAML message ][ Response doesn't have any valid assertion which would pass subject validation ][ Authentication statement is too old to be used with value

Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
TonyZhang
13-Aquamarine
13-Aquamarine
(To:joetenny)
‎Sep 02, 2024 11:32 PM
‎Sep 02, 2024 11:32 PM

Hi @joetenny,

 

Once a user signs in to IDP, usually you can keep that user signed in. so that when the user login to other applications connected to the same IDP, it is not necessary to re-enter the user credentials -- the benefits of Single Sign On

In other words, as long as the user is logged in IDP, the same user (session remembers that user) doesn't have to authenticate again to access ThingWorx.

It's a good thing for users as it saves time and effort but it also exposes some security concerns as we assume it's the same user and not challenging the user identity when they access the application the second time onwards -- it's probably more secure to let users authenticate again after some passes. (a balance between convenience and security)

In the SAML response sent from IDP to SP, there's an attribute called AuthnInstant that indicates the time at which the user authenticated, check out below link for more information.

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#authnstatement 

ThingWorx will check this value AuthnInstant in the response against the samlAssertionMaxAuthenticationAge in sso-settings.json to decide whether the authentication is too old or acceptable.

If the IDP authentication happened long time ago, older than the configured setting, this error will occur suggesting the user to logout from IDP and authenticate himself/herself again.

 

Hope that clarifies.

View solution in original post

Notify Moderator
2 REPLIES 2
VladimirN
24-Ruby II
24-Ruby II
(To:joetenny)
‎Aug 28, 2024 04:15 PM
‎Aug 28, 2024 04:15 PM

Articles:

0 Kudos
Notify Moderator
TonyZhang
13-Aquamarine
13-Aquamarine
(To:joetenny)
‎Sep 02, 2024 11:32 PM
‎Sep 02, 2024 11:32 PM

Hi @joetenny,

 

Once a user signs in to IDP, usually you can keep that user signed in. so that when the user login to other applications connected to the same IDP, it is not necessary to re-enter the user credentials -- the benefits of Single Sign On

In other words, as long as the user is logged in IDP, the same user (session remembers that user) doesn't have to authenticate again to access ThingWorx.

It's a good thing for users as it saves time and effort but it also exposes some security concerns as we assume it's the same user and not challenging the user identity when they access the application the second time onwards -- it's probably more secure to let users authenticate again after some passes. (a balance between convenience and security)

In the SAML response sent from IDP to SP, there's an attribute called AuthnInstant that indicates the time at which the user authenticated, check out below link for more information.

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#authnstatement 

ThingWorx will check this value AuthnInstant in the response against the samlAssertionMaxAuthenticationAge in sso-settings.json to decide whether the authentication is too old or acceptable.

If the IDP authentication happened long time ago, older than the configured setting, this error will occur suggesting the user to logout from IDP and authenticate himself/herself again.

 

Hope that clarifies.

Notify Moderator
Announcements

Contact Community Management
Top Tags