Prisma cloud compute: SAML authentication failed 500 internal server error assertion is not yet valid

Prisma cloud compute: SAML authentication failed 500 internal server error assertion is not yet valid

2736
Created On 07/30/24 18:03 PM - Last Modified 02/06/25 18:36 PM


Symptom


This occurs when Prisma cloud compute pod/node time is >5 minutes time drift with the Load balancer/Kerberos server/SAML server then authentication fails.

output from the console.logs

DEBU 2024-07-30T17:04:28.029 route_handler.go:3256 Authenticating saml user type: otherProvider                                                                                        
ERRO 2024-07-30T17:04:28.046 route_handler.go:3308 Failed to authenticate using authentication endpoint, error: failed to check if saml user exists: assertion is not yet valid        ERRO 2024-07-30T17:04:28.047 route_handler.go:14504 Operation failed: uri=/api/v1/authenticate; error=failed to check if saml user exists: assertion is not yet valid

 

Environment


  • Prisma cloud SaaS
  • Prima cloud compute self-hosted

Cause


When Kerberos server/SAML authentication server time is drift >5 mins with the Prisma cloud compute pod/node then this error occurs

Resolution


  1. Verify the time difference is >5 mins between Prisma cloud compute pod/node.
  2. Verify the time on the NTP server/ Kerberos server/SAML authentication server.
  3. Try to use NTP server for both e.g. Prisma cloud compute and SAML authentication server to resolve the issue.
  4. Or Adjust the time using ‘date’ command on the prisma cloud compute pod to match it with the SAML authentication server.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDlGCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language