Skip to content
This repository was archived by the owner on May 17, 2021. It is now read-only.

Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition #46

Open
varenius opened this issue Jan 26, 2020 · 1 comment
Open

Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition #46

varenius opened this issue Jan 26, 2020 · 1 comment

Comments

@varenius
Copy link

varenius commented Jan 26, 2020
edited
Loading

Hello,
I am trying to configure Redmine to use this plugin with my university login service.

Environment:
  Redmine version                4.0.5.stable
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux-gnu]
  Rails version                  5.2.3

I go to my redmine login page, then click the link to login wih SAML, get to the University server and provide my details, and press enter. Then I get the message "Invalid saml_ticket". Looking in "/var/log/apache2/error.log" I see the following lines appear:

App 24371 stdout: I, [2020-01-26T10:39:22.407507 #24371]  INFO -- omniauth: (saml) Request phase initiated.
App 24371 stdout: I, [2020-01-26T10:39:22.511633 #24371]  INFO -- omniauth: (saml) Callback phase initiated.
App 24371 stdout: E, [2020-01-26T10:39:22.523927 #24371] ERROR -- omniauth: (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition

So, google to the rescue... According to "https://github.com/onelogin/ruby-saml#clock-drift" there is an option

To allow for a small amount of clock drift, you can initialize the response by passing in an option named :allowed_clock_drift.

I have tried to login many times, and some times I don't get this error, so I think the allowed time is just a bit too small. I would like to increase it to avoid this error. An example is given at the page, but I don't see how I can apply this to the redmine_omniauth_saml plugin. Could you please advise?
Kind regards
Eskil
@varenius
Copy link
Author

This happened again, so trying to track this backwards to figure out where to add the allowed_clock:drift parameter to make it work.

Error seems raised by line 219 in vendor/bundle/ruby/2.5.0/gems/ruby-saml-0.9.4/lib/onelogin/ruby-saml/response.rb :

        if not_before && (now + (options[:allowed_clock_drift] || 0)) < not_before

For now, I'll just hack this temporarily to make it work, i.e. replace this line with

        if not_before && (now + 1.second + (options[:allowed_clock_drift] || 0)) < not_before

This is definitely not the proper place to add this, but it seems to work for now.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@varenius