Authentication Statement is Too Old to be Used Error Occurs During SSO Login When Engine Configured in Data Control Tower (formerly Central Management) (KBA6966)
KBA
KBA# 6966
Issue
Engines configured in Data Control Tower (DCT), formerly Central Management, are defaulted to SSO authentication, which is handled using Delphix IDP as an intermediary (SP broker). In the process of accessing an Engine configured in DCT, the following error may be encountered (date and times indicated will vary based on when the issue is observed):
Error Status 400 BAD_REQUEST Error Bad Request Message Validation Errors: 1. Authentication statement is too old to be used with value: '2021-01-21T14:05:50.227Z' current time: '2021-01-21T18:10:11.006Z'
In this condition, the user will not be able to directly access the Engines, though the dataservices.delphix.com interface will continue to function as expected.
Prerequisites
- The Engine is configured in Data Control Tower.
- The user in question has been frequently active in Data Control Tower (dataservices.delphix.com).
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0 5.3
5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
Resolution
The behavior discussed here ultimately occurs as a result of the frequency of user activity. In the Delphix IdP, a session timeout of 4 hours is configured, which is expected to accommodate the majority of use cases. When this session timeout expires, the user is required to login to dataservices.delphix.com again which creates a new authentication statement and session time.
If a given user is continually active in DCT and the 4-hour session timeout never lapses, the current clock time vs. session start time will exceed four hours, and the error will be encountered.
If encountered, this issue can be resolved by explicitly logging out of Data Control Tower by clicking the username in upper right-hand corner, then selecting Sign Out.
Example:
Related Articles
The following articles may provide more information or related information to this article:
- Delphix Documentation - DCT Introduction
- Delphix Documentation - DCT Advanced Authentication and Authorization Mechanisms