[BUG] [FEATURE] SAML error Error: Unable to validate response url: Error: NotBefore / NotOnOrAfter assertion failed #16409
Description
Description:
From time to time I see the following error in the log file:
Jan 31 17:58:10 rocketserv rocket[3757]: Error: Unable to validate response url: Error: NotBefore / NotOnOrAfter assertion failed
Jan 31 17:58:10 rocketserv rocket[3757]: at app/meteor-accounts-saml/server/saml_server.js:659:13
Jan 31 17:58:10 rocketserv rocket[3757]: at SAML.validateResponse (app/meteor-accounts-saml/server/saml_utils.js:583:10)
Jan 31 17:58:10 rocketserv rocket[3757]: at middleware (app/meteor-accounts-saml/server/saml_server.js:657:11)
Jan 31 17:58:10 rocketserv rocket[3757]: at app/meteor-accounts-saml/server/saml_server.js:704:3
I suspect that this is a time discrepancy between SP (Rocket) and IDP (Shibboleth). In our case the SP and IDP use the same local NTP service, so the times should normally match.
Our Rocket runs on an Ubuntu system, timesyncd is configured correctly and also updates the time:
timedatectl status
Local time: Sa 2020-02-01 11:40:17 CET
Universal time: Sa 2020-02-01 10:40:17 UTC
RTC time: Sa 2020-02-01 10:40:17
Time zone: Europe/Berlin (CET, +0100)
Network time on: yes
NTP synchronized: yes
RTC in local TZ: no
The "error" is caused by this patch.
Maybe you could add a small time offset here, so that the Rocket doesn't immediately refuse access if there are slight time differences.
Steps to reproduce:
- login via SAML
- check logfile for error
Expected behavior:
no SALM error
Actual behavior:
Server Setup Information:
- Version of Rocket.Chat Server: 2.4.5
- Operating System: Linux (Ubuntu 16.04 LTS)
- Deployment Method: bundle (self built)
- Number of Running Instances: 1
- DB Replicaset Oplog: yes
- NodeJS Version: 8.17.0
- NPM Version: 6.13.4
- MongoDB Version: 3.6.17