GlobalProtect users authentication through SAML failing.
18781
Created On 02/06/24 08:43 AM - Last Modified 02/06/24 08:49 AM
Symptom
Authd logs showing SAML server profile configured in future followed web SSO failed and SAML SSO failed:
2024-01-31 08:10:31.353 +0000 SAML message from IdP "https://sts.windows.net/xxxxxxxxxxxxxxx/" (server profile "xxxxxx") was created in the future (not_before "2024-01-31T08:11:32.678Z" - max_clock_skew 60 > now Wed Jan 31 08:10:31 2024 )
2024-01-31 08:10:31.353 +0000 SAML SSO authentication failed for user ''. Reason: SAML web single-sign-on failed. auth profile 'xxxxxxx', vsys 'vsys1', server profile 'xxxxxxxx', IdP entityID 'https://sts.windows.net/xxxxxxxxxxxxxx/', reply message 'SAML single-sign-on failed' From: x.x.x.x.
2024-01-31 08:10:31.353 +0000 debug: _log_saml_respone(pan_auth_server.c:402): Sent PAN_AUTH_FAILURE SAML response:(authd_id: xxxxxxxxxxxx) (SAML err code "2" means SSO failed) (auth profile 'xxxxxxxxxxxx') (reply msg 'SAML single-sign-on failed') (NameID 'user-name@domain.com') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
Environment
GlobalProtect user authentication is SAML based.
Cause
The skew time in SAML server profile is the maximum acceptable time difference in seconds between the IdP and firewall system times at the moment when the firewall validates a message that it receives from the IdP (range is 1 to 900; default is 60). If the time difference exceeds this value, the validation (and thus authentication) fails.
In the above logs, it can be seen that the firewall timestamp when the IDP response is received is 08:10:31 however the IDP timestamp is 08:11:32. This makes the time difference of 61 seconds which is 1 second more than the default skew time causing authentication failure.
Resolution
Adjust the skew time or make sure the firewall and IDP server are time synced using NTP.