Sean, This looks like your clock is incorrect. Use a tool like samltracer to see what is being passed.
You do not want to have large lifetime windows on authentication responses, to limit replay attacks. Ray On Wed, 2020-11-25 at 10:15 -0800, Sean Day wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I have CAS 6.2 configured to authenticate against Azure AD, I have some users that are getting an error: org.pac4j.saml.exceptions.SAMLAuthnInstantException: Authentication issue instant is too old or in the future It seems to be browser/PC dependent, if they try a different PC it is OK, the assertion seems to be very old in some cases (months old). It only seems to affect CAS based SAML logins though, authenticating against Azure AD directly for O365 for example works as expected. I know I can workaround this by increasing the setting but does anyone know why I would need to (I already have it set for about 3 months and need to increase it further and I am guessing would have to do this again in the future if I cannot find the cause. Thanks Sean -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e3286381041efa275e3559dcd25a705f5928a51.camel%40uvic.ca.
