Authentication error due to timestamp in SAML message from IdP

Authentication error due to timestamp in SAML message from IdP

31555
Created On 05/30/19 17:26 PM - Last Modified 02/11/20 22:33 PM


Symptom


  • SAML Authentication fails
  • From the CLI, the debug authd log is recording the following logs: (to set the authd debug level, run the command of debug authentication on debug)
2019-05-30 08:34:37.904 -0700 SAML message from IdP "https://accounts.google.com/o/saml2?idpid =C01si5jpr" (server profile "G-Suite") 
was created in the future (not_before "2019-05-30T15:56:03.467Z" - max_clock_skew 60 > now Thu May 30 08:34:37 2019

2019-05-30 08:34:37.904 -0700 Error:  _parse_sso_response(pan_authd_saml.c:1006): Extract assertion from SAML message from IdP 
"https://accounts.google.com/o/saml2?idpid=C01si5jpr"

2019-05-30 08:34:37.904 -0700 Error:  _handle_request(pan_authd_saml.c:1661): occurs in _parse_sso_response()

2019-05-30 08:34:37.905 -0700 SAML SSO authentication failed for user ''.  Reason: SAML web single-sign-on failed. 
auth profile 'Google-Cloud-Identity', vsys 'vsys1', server profile 'G-Sui

 

Environment


  • PAN-OS 8.0.x version
  • PA-200
  • Google Idp

Cause


  • The timestamp in Firewall must be synced with the time in Idp server

Resolution


Enable NTP server in Firewall

User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM4rCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail