Skip to main content
Delphix

Engine User Login Fails With "400 BAD_REQUEST" and "Issue time is either too old or in the future" When SSO is Enabled (KBA7706)

 

 

KBA

KBA# 7706

 

Issue

In Environments configured to use Single Sign-On (SSO) authentication for Engine users, the following event may be encountered during a login attempt:

Error

Status    400 BAD_REQUEST
Error     Bad Request
Message   Validation Errors: 1. Issue time is either too old or in the future: <date and timestamp>

clipboard_e39999c9a3084c3ddef3e7e36c22eb58e.png

This behavior will affect all Admin users, though System Setup will still be accessible for Sysadmin users.

Prerequisites

This event will only occur in SSO-enabled Engines (either via explicit SSO configuration or via Delphix Data Control Tower (DCT)).

Engine configurations using local authentication only would not be expected to encounter this behavior.

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

Resolution

The error is ultimately a result of a time difference between the Engine(s) of concern and the user-configured IdP time.  This can occur when an Engine does not use NTP, the IdP and/or Engine NTP server configurations are not correct / functional, or as a result of a system time change on the Engine.

To correct this issue, the Engine time should be compared with the IdP and adjusted accordingly. If NTP is not in use, it is strongly recommended to enable this as a proactive measure to prevent excessive time drift.

Modifications to the Engine time, either by manually changing the system time or by updating the NTP server will temporarily interrupt the GUI and CLI interfaces as the software services are restarted; however, this will not impact running VDBs, and this will be indicated in the GUI when committing the configuration change.

Additionally, it may be considered to increase the allowable time drift / skew in the Engine.  The default SSO time drift / skew allowable by the Delphix Engine IdP configuration is 2 minutes. This can be modified in Delphix Engine versions 6.0.7.0 and later in the Authentication configuration interface under System Setup.  Under this panel, expanding the Advanced drop-down will expose the following parameters:

Response skew time - maximum allowable time difference between SAML response and Engine current time.

Maximum age of IdP authentication - allowable time in the past to accept authentication to the IdP

clipboard_ef7bddf6c94ab894692bc62896655889d.png