SAML - Authentication issue instant is too old or in the future

Article ID:115000087231
2 minute readKnowledge base

Issue

I am not able to log in my Jenkins instance using SAML as Security Authentication. The following stack trace can be seen after trying to log in:

Current assertion validation failed, continue with the next one
org.pac4j.saml.exceptions.SamlException: Authentication issue instant is too old or in the future

Environment

Resolution

This type of message can be related to:

  • System clocks on the computer running Jenkins Server and the computer running the Identity Provider (IdP) are out of sync.

  • User token gets expired.

  • Maximum authentication time defined in the SAML client does not cover SAML IdPs. Maximum authentication time is the number of seconds since user was authenticated in IdP while his authentication is considering as active.

Sync servers

To validate if servers are sync, ssh each of the servers and validate result of execute date in their respective terminals. Timezone is not relevant here (it is recommended to be in UTC tough), but timedate value, meaning that if they are in different timezones and after applying conversion factor the should have the same timedate values.

If they are not sync, use the Network Time Protocol daemon (NTPD) is a service that performs time synchronization of networked servers to Coordinated Universal Time (UTC). Using NTP helps mitigate the effects of network latency by synchronizing your network with accurate time servers.

How to install it NTPD

Notes:

  1. Install NTPD in each of the machines is running services to integrate: IdP Provider as well as Jenkins in this case.

  2. If you install the NTP service after IdP Provider/Jenkins has already been installed in your network, you should restart the IdP Provider/Jenkin service after NTP has been successfully installed.

CentOS or RHEL servers

1. Install it by sudo yum install -y ntp

2. Check that the service is up and running by: sudo service ntpd status

Ubuntu

1. Install it by sudo apt-get update; sudo apt-get install -y ntp

2. Check that the service is up and running by: sudo service ntp status

Maximum authentication time

Different SAML IdPs retains users logins for different period of times.

SAML plugin default value is set to 1 day (24 h x 60 min x 60 sec = 86400 sec). At the moment of writing this article (SAML version 0.13), the maximun value allowed is 24 days (24 days x 24 h x 60 min x 60 sec = 2073600). To update it, go to Jenkins Configure Global Security > Security Realm > SAML Identity Provider Settings > set Maximum Authentication Lifetime.

The next release of SAML plugin will tackle it by configuring the forceAuth parameter or the session timeout, see JENKINS-38971.

In the meantime for SAML IdPs that retains users logins for more than 24 days, like Microsoft Entra ID (formerly Azure AD) which its default is 90 days (see JENKINS-37289), there are two possible workarounds:

  1. On the IdP side, decrease the time users are being retained to a value less than 24 days.

  2. Delete browser cookies and login again.

References