Engine User Login Fails With "400 BAD_REQUEST" and "Issue time is either too old or in the future" When SSO is Enabled (KBA7706)
KBA
KBA# 7706
Issue
In Environments configured to use Single Sign-On (SSO) authentication for Engine users, the following event may be encountered during a login attempt:
Error Status 400 BAD_REQUEST Error Bad Request Message Validation Errors: 1. Issue time is either too old or in the future: <date and timestamp>
This behavior will affect all Admin users, though System Setup will still be accessible for Sysadmin users.
Prerequisites
This event will only occur in SSO-enabled Engines (either via explicit SSO configuration or via Delphix Data Control Tower (DCT)).
Engine configurations using local authentication only would not be expected to encounter this behavior.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
Resolution
The error is ultimately a result of a time difference between the Engine(s) of concern and the user-configured IdP time. This can occur when an Engine does not use NTP, the IdP and/or Engine NTP server configurations are not correct / functional, or as a result of a system time change on the Engine.
To correct this issue, the Engine time should be compared with the IdP and adjusted accordingly. If NTP is not in use, it is strongly recommended to enable this as a proactive measure to prevent excessive time drift.
Modifications to the Engine time, either by manually changing the system time or by updating the NTP server will temporarily interrupt the GUI and CLI interfaces as the software services are restarted; however, this will not impact running VDBs, and this will be indicated in the GUI when committing the configuration change.
Additionally, it may be considered to increase the allowable time drift / skew in the Engine. The default SSO time drift / skew allowable by the Delphix Engine IdP configuration is 2 minutes. This can be modified in Delphix Engine versions 6.0.7.0 and later in the Authentication configuration interface under System Setup. Under this panel, expanding the Advanced drop-down will expose the following parameters:
Response skew time - maximum allowable time difference between SAML response and Engine current time.
Maximum age of IdP authentication - allowable time in the past to accept authentication to the IdP
Related Articles
The following articles may provide more information or related information to this article:
- Delphix Documentation - Configuring Single Sign-on
- Delphix Knowledge Base - Authentication Statement is Too Old to be Used Error Occurs During SSO Login When Engine Configured in Data Control Tower (formerly Central Management) (KBA6966)