Issue:
OIF 11g partners are running out of sync in the time.
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".
Available solutions to fix the issue.
Solution 1: Solution Make sure that all the OIF partners are timely in sync.
Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :
ER 16906719 - FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMLY IN SYNC - CLOCKS SKEW NEEDED
... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore
The ER (Enhancement Request) bug is implemented only in 11.1.2.2.0 (11gR2 PS2).
So, the OAM/OIF Federation 11.1.2.2.0 has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.
The relevant documentation the WLST command as for this 11.1.2.2.0 release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH
PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.
Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719 backport as on top of OIF 11gR1 11.1.1.6.0 has been completed.
The patch 16906719 is available from My Oracle Support as per patch 16906719
--> Patch 16906719: FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMELY IN SYNC - CLOCKS SKEW NEEDED (Patch)
p16906719_111160_Generic.zip 59.2 KB
So, if you use the exact release of OIF 11gR1 11.1.1.6.0 version and still would like the fix of this, then please download Patch 16906719 and review the patch README file as included in the zip for patch installation.
Please test this on your testing environment, before moving it to Production environment.
As per this patch 16906719, the OIF 11gR1 11.1.1.6.0 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF 11.1.1.6.0 :
- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds
- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID
Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore
Without fix it will be equals to IssueInstant (in Assertion)
With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift
PS: This patch is only applicable to OIF 11gR1 11.1.1.6.0 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).
4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF 11.1.1.6.0), then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 11.1.2.2.0 and/or any later/newer version coming after it.
Thanks
Siva Pokuri
OIF 11g partners are running out of sync in the time.
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".
Available solutions to fix the issue.
Solution 1: Solution Make sure that all the OIF partners are timely in sync.
Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :
ER 16906719 - FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMLY IN SYNC - CLOCKS SKEW NEEDED
... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore
The ER (Enhancement Request) bug is implemented only in 11.1.2.2.0 (11gR2 PS2).
So, the OAM/OIF Federation 11.1.2.2.0 has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.
The relevant documentation the WLST command as for this 11.1.2.2.0 release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH
PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.
Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719 backport as on top of OIF 11gR1 11.1.1.6.0 has been completed.
The patch 16906719 is available from My Oracle Support as per patch 16906719
--> Patch 16906719: FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMELY IN SYNC - CLOCKS SKEW NEEDED (Patch)
p16906719_111160_Generic.zip 59.2 KB
So, if you use the exact release of OIF 11gR1 11.1.1.6.0 version and still would like the fix of this, then please download Patch 16906719 and review the patch README file as included in the zip for patch installation.
Please test this on your testing environment, before moving it to Production environment.
As per this patch 16906719, the OIF 11gR1 11.1.1.6.0 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF 11.1.1.6.0 :
- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds
- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID
Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore
Without fix it will be equals to IssueInstant (in Assertion)
With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift
PS: This patch is only applicable to OIF 11gR1 11.1.1.6.0 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).
4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF 11.1.1.6.0), then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 11.1.2.2.0 and/or any later/newer version coming after it.
Thanks
Siva Pokuri
