Resolving SSO Error: "The end instant must be greater or equal to the start"

Problem:

SSO (Single Sign-On) fails on iObeya. IdP logs show successful connections. SAML Tracer traces appear to be correct. However, iObeya continues to encounter the following error message: Caused by: java.lang.IllegalArgumentException: The end instant must be greater or equal to the start.

 

Solution:

To resolve this issue, you need to ensure that the value of the "Maximum authentication age" parameter is less than Integer.MAX_VALUE: 2147483647.

 

For further details:

The source of this error message "The end instant must be greater or equal to the start" is related to the SAML parameter "Maximum authentication age" reaching the value of Integer.MAX_VALUE (an excessively high value that causes time calculation failures).

The issue lies within the SAMLUtil class of the spring-security-saml2-core dependency. In this method, the value of "Maximum authentication age" is passed in the forwardInterval parameter as a long type. Then, it is converted to int, and the predefined variable skewInSec=60 is added to call the DateTime#minusSeconds method. Consequently, if the sum of forwardInterval and skewInSec exceeds the integer limit, the result will be closer to Integer.MIN_VALUE (a value less than 0), potentially converting the subtraction into an addition of seconds.

 

If you encounter further issues or require additional assistance, please do not hesitate to contact our support team.

AdministrationApplication
Views: 14