Authentication error due to timestamp in SAML message from IdP
32303
Created On 05/30/19 17:26 PM - Last Modified 02/11/20 22:33 PM
Symptom
- SAML Authentication fails
- From the CLI, the debug authd log is recording the following logs: (to set the authd debug level, run the command of debug authentication on debug)
2019-05-30 08:34:37.904 -0700 SAML message from IdP "https://accounts.google.com/o/saml2?idpid =C01si5jpr" (server profile "G-Suite") was created in the future (not_before "2019-05-30T15:56:03.467Z" - max_clock_skew 60 > now Thu May 30 08:34:37 2019 2019-05-30 08:34:37.904 -0700 Error: _parse_sso_response(pan_authd_saml.c:1006): Extract assertion from SAML message from IdP "https://accounts.google.com/o/saml2?idpid=C01si5jpr" 2019-05-30 08:34:37.904 -0700 Error: _handle_request(pan_authd_saml.c:1661): occurs in _parse_sso_response() 2019-05-30 08:34:37.905 -0700 SAML SSO authentication failed for user ''. Reason: SAML web single-sign-on failed. auth profile 'Google-Cloud-Identity', vsys 'vsys1', server profile 'G-Sui
Environment
- PAN-OS 8.0.x version
- PA-200
- Google Idp
Cause
- The timestamp in Firewall must be synced with the time in Idp server
Resolution
Enable NTP server in Firewall